Select Page

Amazon Web Services (AWS) has resolved a cross-tenant vulnerability in its platform that could be weaponized by an attacker to gain unauthorized access to resources.

The issue relates to a confused deputy problem, a type of privilege escalation where a program that doesn’t have permission to perform an action can coerce a more-privileged entity to perform the action.

The shortcoming was reported by Datadog to AWS on September 1, 2022, following which a patch was shipped on September 6.

“This attack abuses the AppSync service to assume [identity and access management] roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts,” Datadog researcher Nick Frichette said in a report published last week.

In a coordinated disclosure, Amazon said that no customers were affected by the vulnerability and that no customer action is required.

images from Hacker News