CVE-2023-35165

Name of the Vulnerable Software and Affected Versions aws-cdk-lib versions 2.0.0 through 2.80.0 @aws-cdk/aws-eks versions 1.57.0 through 1.202.0

Description The issue concerns the AWS Cloud Development Kit (AWS CDK), an open-source software development framework. In the affected packages, eks.Cluster and eks.FargateCluster constructs create two roles, CreationRole and default MastersRole, with overly permissive trust policies. The CreationRole is used by lambda handlers to create the cluster and deploy Kubernetes resources, while the default MastersRole has permissions to execute kubectl commands on the cluster. Users with CDK version higher or equal to 1.62.0 (including v2 users) may be affected by the CreationRole, and users with CDK version higher or equal to 1.57.0 (including v2 users) may be affected by the default MastersRole. The issue has been fixed in @aws-cdk/aws-eks v1.202.0 and aws-cdk-lib v2.80.0, which restrict the trust policy to specific roles of lambda handlers.

Recommendations To resolve the issue for aws-cdk-lib versions 2.0.0 through 2.80.0, upgrade to version 2.80.0 or later. To resolve the issue for @aws-cdk/aws-eks versions 1.57.0 through 1.202.0, upgrade to version 1.202.0 or later. As a temporary workaround for the default MastersRole, use the mastersRole property to explicitly provide a role. For example: new eks.Cluster(this, 'Cluster', { ... mastersRole: iam.Role.fromRoleArn(this, 'Admin', 'arn:aws:iam::xxx:role/Admin') });