SCA: security update for aws-cdk (GHSA-qj85-69xf-2vxq)

medium Tenable Self-Hosted Container Security Plugin ID 418164

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The AWS Cloud Development Kit (CDK) is an open-source framework for defining cloud infrastructure using
code. Customers use it to create their own applications which are converted to AWS CloudFormation
templates during deployment to a customer’s AWS account. CDK contains pre-built components called
"constructs" that are higher-level abstractions providing defaults and best practices. This approach
enables developers to use familiar programming languages to define complex cloud infrastructure more
efficiently than writing raw CloudFormation templates. We identified an issue in AWS Cloud Development Kit
(CDK) which, under certain conditions, can result in granting authenticated Amazon Cognito users broader
than intended access. Specifically, if a CDK application uses the "RestApi" construct with
"CognitoUserPoolAuthorizer" as the authorizer and uses authorization scopes to limit access. This issue
does not affect the availability of the specific API resources. Authenticated Cognito users may gain
unintended access to protected API resources or methods, leading to potential data disclosure, and
modification issues. Impacted versions: >=2.142.0;<=2.148.0. A patch is included in CDK versions
>=2.148.1. Users are advised to upgrade their AWS CDK version to 2.148.1 or newer and re-deploy their
application(s) to address this issue. (CVE-2024-45037)

See Also

https://github.com/advisories/GHSA-qj85-69xf-2vxq

Plugin Details

Severity: Medium

ID: 418164

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2024-45037

CVSS v3

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5.6

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.3

Threat Score: 1.3

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/27/2024

Vulnerability Publication Date: 8/27/2024

Reference Information

CVE: CVE-2024-45037

cwe: CWE-863