AWS Cloud Development Kit CLI Credential Exposure Vulnerability

A vulnerability exists in the AWS Cloud Development Kit (CDK) Command Line Interface (CLI) versions 2.172.0 prior to 2.178.2. When used with a credential plugin that returns temporary AWS credentials including an expiration property, these credentials may be inadvertently printed to the console output. This issue does not affect plugins that omit the expiration property.

Impact

The vulnerability allows AWS credentials, including access key ID, secret access key, and session token, to be exposed in the console output. This could lead to unauthorized access to AWS resources by anyone with access to the console where the CDK CLI was executed.

Reproduction

To reproduce this vulnerability, use the AWS CDK CLI with a custom credential plugin that returns temporary credentials including an expiration property. This can be done by specifying the plugin via a command line option or a configuration file. Once the plugin is applied, execute a CDK command such as 'cdk deploy'. The credentials will be printed to the console output.

Remediation

Upgrade the AWS CDK CLI to version 2.178.2 or later. If you have a custom credential plugin, ensure it is updated to remove the expiration property from the credentials object. If an upgrade is not possible, you can downgrade to version 2.171.1.