Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40aws-amplify/cli@12.10.1
Typenpm
Namespace@aws-amplify
Namecli
Version12.10.1
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-28ah-fmr7-nyax
vulnerability_id VCID-28ah-fmr7-nyax
summary 
AWS Amplify CLI has incorrect trust policy management
Amazon AWS Amplify CLI before 12.10.1 incorrectly configures the role trust policy of IAM roles associated with Amplify projects. When the Authentication component is removed from an Amplify project, a Condition property is removed but "Effect":"Allow" remains present, and consequently sts:AssumeRoleWithWebIdentity would be available to threat actors with no conditions. Thus, if Amplify CLI had been used to remove the Authentication component from a project built between August 2019 and January 2024, an "assume role" may have occurred, and may have been leveraged to obtain unauthorized access to an organization's AWS resources. NOTE: the problem could only occur if an authorized AWS user removed an Authentication component. (The vulnerability did not give a threat actor the ability to remove an Authentication component.) However, in realistic situations, an authorized AWS user may have removed an Authentication component, e.g., if the objective were to stop using built-in Cognito resources, or move to a completely different identity provider.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-28056
reference_id
reference_type
scores
0
value 0.00648
scoring_system epss
scoring_elements 0.71217
published_at 2026-06-06T12:55:00Z
1
value 0.00648
scoring_system epss
scoring_elements 0.71211
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-28056
1
reference_url https://aws.amazon.com/security/security-bulletins/AWS-2024-003
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://aws.amazon.com/security/security-bulletins/AWS-2024-003
2
reference_url https://github.com/aws-amplify/amplify-cli
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/aws-amplify/amplify-cli
3
reference_url https://github.com/aws-amplify/amplify-cli/blob/8ad57bf99a404f3c92547c8a175458016f682fac/packages/amplify-provider-awscloudformation/resources/update-idp-roles-cfn.json
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-06-18T18:02:47Z/
url https://github.com/aws-amplify/amplify-cli/blob/8ad57bf99a404f3c92547c8a175458016f682fac/packages/amplify-provider-awscloudformation/resources/update-idp-roles-cfn.json
4
reference_url https://github.com/aws-amplify/amplify-cli/commit/73b08dc424db2fb60399c5343c314e02e849d4a1
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-06-18T18:02:47Z/
url https://github.com/aws-amplify/amplify-cli/commit/73b08dc424db2fb60399c5343c314e02e849d4a1
5
reference_url https://github.com/aws-amplify/amplify-cli/releases/tag/v12.10.1
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-06-18T18:02:47Z/
url https://github.com/aws-amplify/amplify-cli/releases/tag/v12.10.1
6
reference_url https://securitylabs.datadoghq.com/articles/amplified-exposure-how-aws-flaws-made-amplify-iam-roles-vulnerable-to-takeover
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://securitylabs.datadoghq.com/articles/amplified-exposure-how-aws-flaws-made-amplify-iam-roles-vulnerable-to-takeover
7
reference_url https://securitylabs.datadoghq.com/articles/amplified-exposure-how-aws-flaws-made-amplify-iam-roles-vulnerable-to-takeover/
reference_id amplified-exposure-how-aws-flaws-made-amplify-iam-roles-vulnerable-to-takeover
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-06-18T18:02:47Z/
url https://securitylabs.datadoghq.com/articles/amplified-exposure-how-aws-flaws-made-amplify-iam-roles-vulnerable-to-takeover/
8
reference_url https://aws.amazon.com/security/security-bulletins/AWS-2024-003/
reference_id AWS-2024-003
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-06-18T18:02:47Z/
url https://aws.amazon.com/security/security-bulletins/AWS-2024-003/
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-28056
reference_id CVE-2024-28056
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-28056
10
reference_url https://github.com/advisories/GHSA-846g-p7hm-f54r
reference_id GHSA-846g-p7hm-f54r
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-846g-p7hm-f54r
fixed_packages
0
url pkg:npm/%40aws-amplify/cli@12.10.1
purl pkg:npm/%40aws-amplify/cli@12.10.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540aws-amplify/cli@12.10.1
aliases CVE-2024-28056, GHSA-846g-p7hm-f54r
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-28ah-fmr7-nyax
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540aws-amplify/cli@12.10.1