Gavinzz

**Name of the Vulnerable Software and Affected Versions** AWS Cloud Development Kit (AWS CDK) versions prior to 2.177.0 **Description** The issue concerns the AWS Cloud Development Kit's (AWS CDK) handling of IAM OIDC custom resource provider packages. Specifically, the `tls.connect` method sets `rejectUnauthorized: false`, which is a potential security concern. This could allow unauthorized OIDC providers to be connected, although the risk is mitigated by the Lambda environment and the fact that users define the issuer URL. The estimated number of potentially affected devices is not provided. There are no reported real-world incidents where this issue was exploited. Technical details include the use of the `tls.connect` method with `rejectUnauthorized: false`, which bypasses verification against trusted CAs, leading to insecure transport. The `rejectUnauthorized` option should be set to `true` to follow best practices. **Recommendations** Upgrade to AWS CDK version 2.177.0 or later. Once upgraded, set the feature flag `@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections` to `true` in `cdk.context.json` or `cdk.json`. As a temporary workaround, consider setting the environment variable `NODE TLS REJECT UNAUTHORIZED` to 1, which enables TLS verification. Restrict access to the vulnerable `oidc-handler` module to minimize the risk of exploitation. Avoid using the `tls.connect` method with `rejectUnauthorized: false` in the affected API endpoint until the issue is resolved.