CVE-2024-28056

Name of the Vulnerable Software and Affected Versions Amazon AWS Amplify CLI versions prior to 12.10.1

Description The issue arises when the Authentication component is removed from an Amplify project, resulting in the removal of a Condition property but leaving "Effect":"Allow" present. This allows sts:AssumeRoleWithWebIdentity to be available to threat actors with no conditions, potentially leading to unauthorized access to an organization's AWS resources. The problem can only occur if an authorized AWS user removes an Authentication component, which may happen in realistic situations such as stopping the use of built-in Cognito resources or moving to a different identity provider.

Recommendations For Amazon AWS Amplify CLI versions prior to 12.10.1, upgrade to version 12.10.1 or later to mitigate the risk. As a temporary workaround, consider restricting access to the affected IAM roles until the issue is resolved. Avoid removing the Authentication component from Amplify projects unless necessary, and ensure that all changes are made by authorized AWS users.