CVE-2023-50928 - OpenCVE

"Sandbox Accounts for Events" provides multiple, temporary AWS accounts to a number of authenticated users simultaneously via a browser-based GUI. Authenticated users could potentially claim and access empty AWS accounts by sending request payloads to the account API containing non-existent event ids and self-defined budget & duration. This issue only affects cleaned AWS accounts, it is not possible to access AWS accounts in use or existing data/infrastructure. This issue has been patched in version 1.1.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Amazon	Awslabs Sandbox Accounts For Events

Configuration 1 [-]

cpe:2.3:a:amazon:awslabs_sandbox_accounts_for_events:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/awslabs/sandbox-accounts-for-events/commit/f30a0662f0a28734eb33c5868cccc1c319eb6e79
https://github.com/awslabs/sandbox-accounts-for-events/security/advisories/GHSA-cg8w-7q5v-g32r

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-12-22T21:00:49.814Z

Updated: 2024-08-02T22:23:43.827Z

Reserved: 2023-12-15T20:57:23.174Z

Link: CVE-2023-50928

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-12-22T21:15:08.580

Modified: 2024-01-08T15:23:00.327

Link: CVE-2023-50928

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-50928", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-15T20:57:23.174Z", "datePublished": "2023-12-22T21:00:49.814Z", "dateUpdated": "2024-08-02T22:23:43.827Z"}, "containers": {"cna": {"title": " sandbox-accounts-for-events security misconfiguration leads to budget exceed", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/awslabs/sandbox-accounts-for-events/security/advisories/GHSA-cg8w-7q5v-g32r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/awslabs/sandbox-accounts-for-events/security/advisories/GHSA-cg8w-7q5v-g32r"}, {"name": "https://github.com/awslabs/sandbox-accounts-for-events/commit/f30a0662f0a28734eb33c5868cccc1c319eb6e79", "tags": ["x_refsource_MISC"], "url": "https://github.com/awslabs/sandbox-accounts-for-events/commit/f30a0662f0a28734eb33c5868cccc1c319eb6e79"}], "affected": [{"vendor": "awslabs", "product": "sandbox-accounts-for-events", "versions": [{"version": "< 1.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-22T21:00:49.814Z"}, "descriptions": [{"lang": "en", "value": "\"Sandbox Accounts for Events\" provides multiple, temporary AWS accounts to a number of authenticated users simultaneously via a browser-based GUI. Authenticated users could potentially claim and access empty AWS accounts by sending request payloads to the account API containing non-existent event ids and self-defined budget & duration. This issue only affects cleaned AWS accounts, it is not possible to access AWS accounts in use or existing data/infrastructure. This issue has been patched in version 1.1.0."}], "source": {"advisory": "GHSA-cg8w-7q5v-g32r", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:23:43.827Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/awslabs/sandbox-accounts-for-events/security/advisories/GHSA-cg8w-7q5v-g32r", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/awslabs/sandbox-accounts-for-events/security/advisories/GHSA-cg8w-7q5v-g32r"}, {"name": "https://github.com/awslabs/sandbox-accounts-for-events/commit/f30a0662f0a28734eb33c5868cccc1c319eb6e79", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/awslabs/sandbox-accounts-for-events/commit/f30a0662f0a28734eb33c5868cccc1c319eb6e79"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amazon:awslabs_sandbox_accounts_for_events:*:*:*:*:*:*:*:*", "matchCriteriaId": "BC15DDF8-BE84-4B47-A804-CEF17DCC9722", "versionEndExcluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "\"Sandbox Accounts for Events\" provides multiple, temporary AWS accounts to a number of authenticated users simultaneously via a browser-based GUI. Authenticated users could potentially claim and access empty AWS accounts by sending request payloads to the account API containing non-existent event ids and self-defined budget & duration. This issue only affects cleaned AWS accounts, it is not possible to access AWS accounts in use or existing data/infrastructure. This issue has been patched in version 1.1.0."}, {"lang": "es", "value": "Sandbox Accounts for Events proporciona m\u00faltiples cuentas temporales de AWS a varios usuarios autenticados simult\u00e1neamente a trav\u00e9s de una GUI basada en navegador. Los usuarios autenticados podr\u00edan reclamar y acceder a cuentas vac\u00edas de AWS enviando payloads de solicitud a la API de la cuenta que contienen identificadores de eventos inexistentes y un presupuesto y una duraci\u00f3n autodefinidos. Este problema solo afecta a las cuentas de AWS limpiadas; no es posible acceder a las cuentas de AWS en uso ni a los datos/infraestructura existentes. Este problema se solucion\u00f3 en la versi\u00f3n 1.1.0."}], "id": "CVE-2023-50928", "lastModified": "2024-01-08T15:23:00.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-12-22T21:15:08.580", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/awslabs/sandbox-accounts-for-events/commit/f30a0662f0a28734eb33c5868cccc1c319eb6e79"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/awslabs/sandbox-accounts-for-events/security/advisories/GHSA-cg8w-7q5v-g32r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}