CVE-2023-50928

Name of the Vulnerable Software and Affected Versions Sandbox Accounts for Events versions prior to 1.1.0

Description The issue allows authenticated users to potentially claim and access empty AWS accounts by sending request payloads to the account API containing non-existent event ids and self-defined budget & duration. This issue only affects cleaned AWS accounts, and it is not possible to access AWS accounts in use or existing data/infrastructure.

Recommendations For versions prior to 1.1.0, update to version 1.1.0 to resolve the issue. As a temporary workaround, consider restricting access to the account API to minimize the risk of exploitation. Avoid using the API to claim empty AWS accounts with non-existent event ids until the issue is resolved.