← Back

CVE-2025-14503

nvd nist
Published: Dec 15, 2025Modified: Jan 30, 2026

JSON object

Loading...
8.6
Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Show more
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less
Source: ff89ba41-3aa1-4d27-914a-91399e9639e5 (Secondary)

Description

An overly-permissive IAM trust policy in the Harmonix on AWS framework may allow IAM principals in the same AWS account to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any IAM principal in the same AWS account with sts:AssumeRole permissions to assume the role with administrative privileges. We recommend customers upgrade to Harmonix on AWS v0.4.2 or later if you have deployed the framework using versions v0.3.0 through v0.4.1.

Affected (1)

Products: Amazon: Harmonix
Amazon
1 product
Harmonix
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Harmonix
From 0.3.0 to 0.4.2

Related CWEs

CWE-266
Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References (3)

Source: ff89ba41-3aa1-4d27-914a-91399e9639e5
PatchVendor Advisory
Source: ff89ba41-3aa1-4d27-914a-91399e9639e5
Issue Tracking
Source: ff89ba41-3aa1-4d27-914a-91399e9639e5
Vendor Advisory

Timeline

No history available yet.