PT-2025-51281 · Unknown+1 · Harmonix On Aws+1
Published
2025-12-15
·
Updated
2025-12-21
·
CVE-2025-14503
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Harmonix on AWS versions 0.3.0 through 0.4.1
Description
An overly-permissive IAM trust policy within the Harmonix on AWS framework could allow IAM principals within the same AWS account to escalate privileges through role assumption. The EKS environment provisioning role’s sample code is configured to trust the account root principal, potentially enabling any IAM principal in the same AWS account possessing
sts:AssumeRole permissions to assume the role and gain administrative privileges.Recommendations
Upgrade to Harmonix on AWS version 0.4.2 or later.
Fix
Incorrect Privilege Assignment
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Eks
Harmonix On Aws