AWS Sandbox Accounts for Events Prev1.1.0 (API claim via GUI)
CVE-2023-50928 Published on December 22, 2023
sandbox-accounts-for-events security misconfiguration leads to budget exceed
"Sandbox Accounts for Events" provides multiple, temporary AWS accounts to a number of authenticated users simultaneously via a browser-based GUI. Authenticated users could potentially claim and access empty AWS accounts by sending request payloads to the account API containing non-existent event ids and self-defined budget & duration. This issue only affects cleaned AWS accounts, it is not possible to access AWS accounts in use or existing data/infrastructure. This issue has been patched in version 1.1.0.
Vulnerability Analysis
CVE-2023-50928 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2023-50928 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2023-50928
Want to know whenever a new CVE is published for Amazon Awslabs Sandbox Accounts Events? stack.watch will email you.
Affected Versions
awslabs sandbox-accounts-for-events Version < 1.1.0 is affected by CVE-2023-50928Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.