Lumigo Autodeploy Layer Insecure Permissions Vulnerability Allowing Privilege Escalation

Vulnerability

A vulnerability exists in Lumigo's Autodeploy Layer in versions through 1.2.0, where insecure permissions allow attackers to escalate privileges and compromise the customer's cloud account. The issue arises because the 'DeployToNewFunctions' and 'DeployToExistingFunctions' features use an inline policy that grants the 'lambda:UpdateFunctionConfiguration' permission for all resources. This could enable an attacker to update the configurations of other Lambda functions to intercept temporary security credentials from their execution roles, ultimately leading to unauthorized access to the customer's cloud account.

Impact

Exploitation of this vulnerability could result in unauthorized access to temporary security credentials of AWS Lambda execution roles, allowing an attacker to update function configurations and potentially take over the customer's cloud account.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Lumigo Autodeploy Layer Insecure Permissions Vulnerability Allowing Privilege Escalation

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating