CVE-2024-37293

Summary

CVE-2024-37293 is a vulnerability affecting the AWS Deployment Framework (ADF). The issue lies in the ADF bootstrap process, which relies on elevated privileges to deploy stacks for multi-account, cross-region deployments. Before version 4.0.0, the bootstrap CodeBuild role lacked restrictions, enabling an actor to assume into any AWS account within an organization, potentially escalating privileges. To mitigate this risk, apply patches in version 4.0.0 or set up a permissions boundary denying all IAM and STS actions for ADF roles. This will disable ADF's account management and bootstrapping capabilities but mitigate privilege escalation.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.