Update dependency aws-cdk to v2.148.1 [SECURITY] #3
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.147.2
->2.148.1
GitHub Vulnerability Alerts
CVE-2024-45037
Summary
The AWS Cloud Development Kit (CDK) is an open-source framework for defining cloud infrastructure using code. Customers use it to create their own applications which are converted to AWS CloudFormation templates during deployment to a customer’s AWS account. CDK contains pre-built components called "constructs" that are higher-level abstractions providing defaults and best practices. This approach enables developers to use familiar programming languages to define complex cloud infrastructure more efficiently than writing raw CloudFormation templates.
We identified an issue in AWS Cloud Development Kit (CDK) which, under certain conditions, can result in granting authenticated Amazon Cognito users broader than intended access. Specifically, if a CDK application uses the "RestApi" construct with "CognitoUserPoolAuthorizer" as the authorizer and uses authorization scopes to limit access. This issue does not affect the availability of the specific API resources.
Impact
Authenticated Cognito users may gain unintended access to protected API resources or methods, leading to potential data disclosure, and modification issues.
Impacted versions: >=2.142.0;<=2.148.0
Patches
The patch is included in CDK version >=2.148.1.
Recommended Actions
References
If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting
Release Notes
aws/aws-cdk (aws-cdk)
v2.148.1
Compare Source
Bug Fixes
Alpha modules (2.148.1-alpha.0)
v2.148.0
Compare Source
Features
project.visibility
(#30103) (1bacb69)Bug Fixes
Reverts
delegatedZone
(#30440)" (#30606) (95280a0), closes #30600Alpha modules (2.148.0-alpha.0)
Features
Bug Fixes
v2.147.3
Compare Source
Bug Fixes
Alpha modules (2.147.3-alpha.0)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.