Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-916a-bfkj-yyh7
Vulnerability ID VCID-916a-bfkj-yyh7
Aliases CVE-2023-35165
GHSA-rx28-r23p-2qc3
Summary AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. In the packages `aws-cdk-lib` 2.0.0 until 2.80.0 and `@aws-cdk/aws-eks` 1.57.0 until 1.202.0, `eks.Cluster` and `eks.FargateCluster` constructs create two roles, `CreationRole` and `default MastersRole`, that have an overly permissive trust policy. The first, referred to as the `CreationRole`, is used by lambda handlers to create the cluster and deploy Kubernetes resources (e.g `KubernetesManifest`, `HelmChart`, ...) onto it. Users with CDK version higher or equal to 1.62.0 (including v2 users) may be affected. The second, referred to as the `default MastersRole`, is provisioned only if the `mastersRole` property isn't provided and has permissions to execute `kubectl` commands on the cluster. Users with CDK version higher or equal to 1.57.0 (including v2 users) may be affected. The issue has been fixed in `@aws-cdk/aws-eks` v1.202.0 and `aws-cdk-lib` v2.80.0. These versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it. There is no workaround available for CreationRole. To avoid creating the `default MastersRole`, use the `mastersRole` property to explicitly provide a role.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-863 Incorrect Authorization
CWE-266 Incorrect Privilege Assignment
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2023-35165
cvssv3.1 6.6 https://github.com/aws/aws-cdk
generic_textual MODERATE https://github.com/aws/aws-cdk
cvssv3.1 6.6 https://github.com/aws/aws-cdk/issues/25674
generic_textual MODERATE https://github.com/aws/aws-cdk/issues/25674
ssvc Track https://github.com/aws/aws-cdk/issues/25674
cvssv3.1 6.6 https://github.com/aws/aws-cdk/security/advisories/GHSA-rx28-r23p-2qc3
generic_textual MODERATE https://github.com/aws/aws-cdk/security/advisories/GHSA-rx28-r23p-2qc3
ssvc Track https://github.com/aws/aws-cdk/security/advisories/GHSA-rx28-r23p-2qc3
cvssv3.1 6.6 https://nvd.nist.gov/vuln/detail/CVE-2023-35165
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2023-35165
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-35165
https://github.com/aws/aws-cdk
https://nvd.nist.gov/vuln/detail/CVE-2023-35165
25674 https://github.com/aws/aws-cdk/issues/25674
GHSA-rx28-r23p-2qc3 https://github.com/aws/aws-cdk/security/advisories/GHSA-rx28-r23p-2qc3
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/aws/aws-cdk
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/aws/aws-cdk/issues/25674
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-05T16:12:30Z/ Found at https://github.com/aws/aws-cdk/issues/25674
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/aws/aws-cdk/security/advisories/GHSA-rx28-r23p-2qc3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-05T16:12:30Z/ Found at https://github.com/aws/aws-cdk/security/advisories/GHSA-rx28-r23p-2qc3
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-35165
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.20361
EPSS Score 0.00065
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:24:03.550513+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2023/35xxx/CVE-2023-35165.json 38.6.0