CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
30.9%
An Amazon Web Services (AWS) developer who does not specify the --owners
flag when describing images via AWS CLI, and therefore not properly
validating source software per AWS recommended security best practices, may
unintentionally load an undesired and potentially malicious Amazon Machine
Image (AMI) from the uncurated public community AMI catalog.
Author | Note |
---|---|
msalvatore | This CVE may actually be against hashicorp/packer instead of awscli. Monitor https://github.com/hashicorp/packer/issues/6584 to see if this actually affects awscli. |
redhat | Closing this bug as NOTABUG and asked MITRE for rejection, since the issue does not seem to be in AWS CLI but in Packer. |
msalvatore | Amazon has addressed this: “The ability to query for images without specifying an owner is the intended design.” “This seems to have been a gap in 3rd party software” Ignoring awscli package. |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
30.9%