CVE-2024-37293

Name of the Vulnerable Software and Affected Versions aws-deployment-framework versions prior to 4.0.0

Description The AWS Deployment Framework (ADF) contains a bootstrap process that relies on elevated privileges to deploy ADF's bootstrap stacks, facilitating multi-account cross-region deployments. Prior to version 4.0.0, the bootstrap CodeBuild role provides access to the sts:AssumeRole operation without further restrictions, allowing it to assume into any AWS Account in the AWS Organization with elevated privileges. This issue can be exploited by an actor with permissions to change the behavior of the CodeBuild project or the Lambda function, enabling them to escalate their privileges.

Recommendations As a temporary mitigation, add a permissions boundary to the roles created by ADF in the management account. The permissions boundary should deny all IAM and STS actions. This permissions boundary should be in place until you upgrade ADF or bootstrap a new account. Upgrade to aws-deployment-framework version 4.0.0 to resolve the issue.