CVE-2023-51386: Sandbox Accounts for Events vulnerable to privilege escalation to read running events data
First published: Fri Dec 22 2023(Updated: )
Sandbox Accounts for Events provides multiple, temporary AWS accounts to a number of authenticated users simultaneously via a browser-based GUI. Authenticated users could potentially read data from the events table by sending request payloads to the events API, collecting information on planned events, timeframes, budgets and owner email addresses. This data access may allow users to get insights into upcoming events and join events which they have not been invited to. This issue has been patched in version 1.10.0.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| <1.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/description
- agent/softwarecombine
- agent/title
- agent/weakness
- agent/remedy
- agent/author
- agent/severity
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/amazon
- canonical/amazon awslabs sandbox accounts for events