Summary
Improper request input validation in Temporary Elevated Access Management (TEAM) for AWS IAM Identity Center allows a user to modify a valid request and spoof an approval in TEAM.
Impact
There is an issue in open-source Temporary Elevated Access Management (TEAM) that allows users to self-approve their own access requests by leveraging an improperly validated parameter ("approver") in the GraphQL API. This bypasses the intended validation checks, enabling users to approve their own requests even if they are not designated as eligible approvers for the requested role.
This issue could allow a user to bypass the approval mechanism when assuming a role to which they are already onboarded through TEAM. This issue cannot be leveraged to allow a user to self-approve a request to assume a role which they have not already been onboarded to through TEAM.
Impacted versions: <v1.2.2
Patches
A fix has been released in v1.2.2 for this issue and can confirm that TEAM is operating as expected.
Workarounds
Upgrade TEAM to the latest release v1.2.2. Follow instructions in updating TEAM documentation for updating process.
References
https://github.com/aws-samples/iam-identity-center-team/releases/tag/v1.2.2
Acknowledgement
We would like to thank Werner Bester, Redshift Cyber Security, for collaborating on this issue through the coordinated vulnerability disclosure process.
If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [email protected]. Please do not create a public GitHub issue.
[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting
Summary
Improper request input validation in Temporary Elevated Access Management (TEAM) for AWS IAM Identity Center allows a user to modify a valid request and spoof an approval in TEAM.
Impact
There is an issue in open-source Temporary Elevated Access Management (TEAM) that allows users to self-approve their own access requests by leveraging an improperly validated parameter ("approver") in the GraphQL API. This bypasses the intended validation checks, enabling users to approve their own requests even if they are not designated as eligible approvers for the requested role.
This issue could allow a user to bypass the approval mechanism when assuming a role to which they are already onboarded through TEAM. This issue cannot be leveraged to allow a user to self-approve a request to assume a role which they have not already been onboarded to through TEAM.
Impacted versions: <v1.2.2
Patches
A fix has been released in v1.2.2 for this issue and can confirm that TEAM is operating as expected.
Workarounds
Upgrade TEAM to the latest release v1.2.2. Follow instructions in updating TEAM documentation for updating process.
References
https://github.com/aws-samples/iam-identity-center-team/releases/tag/v1.2.2
Acknowledgement
We would like to thank Werner Bester, Redshift Cyber Security, for collaborating on this issue through the coordinated vulnerability disclosure process.
If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [email protected]. Please do not create a public GitHub issue.
[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting