Impact
The vulnerability is an overly permissive file permission setting in the AWS Command Line Interface. On Unix‑like systems where the default umask has not been modified, the CLI writes credential files with world‑readable permissions for specific subcommands (aws codeartifact login, aws iam create‑virtual‑mfa‑device, aws deploy register). As a result, any local user on the same host can read these files and obtain AWS credentials that were intended to be private, enabling credential compromise. The underlying weakness is described by CWE-732 and carries a moderate impact.
Affected Systems
The issue affects AWS CLI version 1 releases earlier than 1.44.78 and AWS CLI version 2 releases earlier than 2.34.29. Systems running these unpatched CLI versions on Unix‑like operating systems are vulnerable. Based on the description, it is inferred that the vulnerability applies only to Unix‑like systems and not to Windows binaries.
Risk and Exploitability
The CVSS score of 6.8 places the flaw in the Medium severity range. EPSS data is not available, and the flaw is not listed in CISA's KEV catalog, suggesting no evidence of widespread exploitation. The attack vector is local; any user with access to the host can read the files if the umask allows it. The risk is proportional to the number of local users and the importance of the credentials stored. There are no network prerequisites, making the exploit straightforward in environments with shared accounts or compromised local users.
OpenCVE Enrichment