CVE-2023-51386

Published: Dec 22, 2023Modified: Nov 21, 2024

3.3

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 1.8 / Impact: 1.4

Source: NVD

Description

Sandbox Accounts for Events provides multiple, temporary AWS accounts to a number of authenticated users simultaneously via a browser-based GUI. Authenticated users could potentially read data from the events table by sending request payloads to the events API, collecting information on planned events, timeframes, budgets and owner email addresses. This data access may allow users to get insights into upcoming events and join events which they have not been invited to. This issue has been patched in version 1.10.0.

Affected (1)

Products: Amazon: Awslabs Sandbox Accounts For Events

1 product

Awslabs Sandbox Accounts For Events

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Amazon Awslabs Sandbox Accounts For Events	Before 1.1.0

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (4)

https://github.com/awslabs/sandbox-accounts-for-events/commit/f30a0662f0a28734eb33c5868cccc1c319eb6e79

Source: security-advisories@github.com

Patch

https://github.com/awslabs/sandbox-accounts-for-events/security/advisories/GHSA-p7w3-j66h-m7mx

Source: security-advisories@github.com

Third Party Advisory

https://github.com/awslabs/sandbox-accounts-for-events/commit/f30a0662f0a28734eb33c5868cccc1c319eb6e79

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/awslabs/sandbox-accounts-for-events/security/advisories/GHSA-p7w3-j66h-m7mx

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.