Vulnerability Details CVE-2023-35165
AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. In the packages `aws-cdk-lib` 2.0.0 until 2.80.0 and `@aws-cdk/aws-eks` 1.57.0 until 1.202.0, `eks.Cluster` and `eks.FargateCluster` constructs create two roles, `CreationRole` and `default MastersRole`, that have an overly permissive trust policy.
The first, referred to as the `CreationRole`, is used by lambda handlers to create the cluster and deploy Kubernetes resources (e.g `KubernetesManifest`, `HelmChart`, ...) onto it. Users with CDK version higher or equal to 1.62.0 (including v2 users) may be affected.
The second, referred to as the `default MastersRole`, is provisioned only if the `mastersRole` property isn't provided and has permissions to execute `kubectl` commands on the cluster. Users with CDK version higher or equal to 1.57.0 (including v2 users) may be affected.
The issue has been fixed in `@aws-cdk/aws-eks` v1.202.0 and `aws-cdk-lib` v2.80.0. These versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it. There is no workaround available for CreationRole. To avoid creating the `default MastersRole`, use the `mastersRole` property to explicitly provide a role.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 12.9%
CVSS Severity
CVSS v3 Score 6.6
References
Products affected by CVE-2023-35165
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.100.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.101.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.102.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.103.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.104.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.105.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.106.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.106.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.107.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.108.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.108.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.109.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.110.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.110.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.111.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.112.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.113.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.114.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.115.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.116.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.117.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.118.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.119.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.120.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.121.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.122.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.123.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.124.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.125.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.126.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.127.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.128.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.129.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.130.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.131.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.132.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.133.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.134.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.135.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.136.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.137.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.138.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.138.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.138.2
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.139.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.140.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.141.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.142.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.143.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.144.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.145.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.146.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.147.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.148.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.149.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.150.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.151.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.152.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.153.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.153.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.154.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.155.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.156.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.156.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.157.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.158.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.159.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.160.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.161.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.162.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.163.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.163.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.163.2
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.164.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.165.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.166.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.167.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.168.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.169.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.170.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.170.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.171.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.172.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.173.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.174.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.175.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.176.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.177.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.178.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.179.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.180.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.181.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.181.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.182.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.183.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.184.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.184.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.185.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.186.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.186.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.187.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.188.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.189.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.190.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.191.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.192.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.193.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.194.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.195.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.196.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.197.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.198.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.198.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.199.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.200.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.201.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.57.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.58.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.59.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.60.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.61.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.61.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.62.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.63.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.64.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.64.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.65.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.66.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.67.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.68.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.69.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.70.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.71.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.72.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.73.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.74.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.75.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.76.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.77.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.78.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.79.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.80.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.81.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.82.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.83.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.84.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.85.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.86.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.87.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.87.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.88.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.89.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.90.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.90.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.91.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.92.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.93.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.94.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.94.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.95.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.95.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.95.2
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.96.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.97.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.98.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:1.99.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.0.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.1.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.10.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.11.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.12.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.13.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.14.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.15.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.16.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.17.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.18.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.19.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.2.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.20.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.21.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.21.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.22.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.23.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.24.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.24.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.25.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.26.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.27.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.28.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.28.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.29.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.29.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.3.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.30.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.31.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.31.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.31.2
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.32.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.32.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.33.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.34.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.34.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.34.2
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.35.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.36.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.37.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.37.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.38.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.38.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.39.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.39.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.4.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.40.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.41.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.42.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.42.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.43.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.43.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.44.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.45.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.46.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.47.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.48.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.49.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.49.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.5.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.50.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.51.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.51.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.52.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.52.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.53.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.54.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.55.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.55.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.56.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.56.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.57.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.58.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.58.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.59.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.6.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.60.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.61.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.61.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.62.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.62.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.62.2
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.63.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.63.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.63.2
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.64.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.65.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.66.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.66.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.67.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.68.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.69.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.7.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.70.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.71.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.72.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.72.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.73.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.74.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.75.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.75.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.76.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.77.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.78.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.79.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.79.1
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.8.0
-
cpe:2.3:a:amazon:aws_cloud_development_kit:2.9.0