The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices.
Describe the bug
AWS Inspector detects high severity findings on the Lambdas deployed by this solution
To Reproduce
Enable Inspector and watch the output
Expected behavior
AWS to patch and maintain libraries used in the Lambdas
Please complete the following information about the solution:
Version: v.2.6.0
Region: eu-central-1
Additional context
1) Name: StateMachineLambda
File path: codebuild_scripts/merge_baseline_template_parameter.py
Line: 28, 47, 99
CWE-22 - Path traversal: Constructing path names with unsanitized user input can lead to path traversal attacks (for example, ../../..) that allow an attacker access to file system resources.
2) Name: StateMachineLambda
File path: config_deployer.py & cfct/lambda_handlers/config_deployer.py
Line: 47
CWE-409 - Zip bomb attack: Expanding input archive files without any validation could make your code vulnerable to zip bomb attacks, which could potentially cause denial of service (DoS). We recommend that you sanitize input archive files before extracting them.
3) Name: CustomControlTowerLELambda
File path: codebuild_scripts/find_replace.py
Line: 28, 47, 99
CWE-22 - Path traversal: Constructing path names with unsanitized user input can lead to path traversal attacks (for example, ../../..) that allow an attacker access to file system resources.
4) Name: CustomControlTowerLELambda
File path: config_deployer.py & cfct/lambda_handlers/config_deployer.py
Line: 47
CWE-409 - Zip bomb attack: Expanding input archive files without any validation could make your code vulnerable to zip bomb attacks, which could potentially cause denial of service (DoS). We recommend that you sanitize input archive files before extracting them.
Describe the bug AWS Inspector detects high severity findings on the Lambdas deployed by this solution
To Reproduce Enable Inspector and watch the output
Expected behavior AWS to patch and maintain libraries used in the Lambdas
Please complete the following information about the solution:
Additional context
1) Name: StateMachineLambda File path: codebuild_scripts/merge_baseline_template_parameter.py Line: 28, 47, 99 CWE-22 - Path traversal: Constructing path names with unsanitized user input can lead to path traversal attacks (for example,
../../..
) that allow an attacker access to file system resources.2) Name: StateMachineLambda File path: config_deployer.py & cfct/lambda_handlers/config_deployer.py Line: 47 CWE-409 - Zip bomb attack: Expanding input archive files without any validation could make your code vulnerable to zip bomb attacks, which could potentially cause denial of service (DoS). We recommend that you sanitize input archive files before extracting them.
3) Name: CustomControlTowerLELambda File path: codebuild_scripts/find_replace.py Line: 28, 47, 99 CWE-22 - Path traversal: Constructing path names with unsanitized user input can lead to path traversal attacks (for example,
../../..
) that allow an attacker access to file system resources.4) Name: CustomControlTowerLELambda File path: config_deployer.py & cfct/lambda_handlers/config_deployer.py Line: 47 CWE-409 - Zip bomb attack: Expanding input archive files without any validation could make your code vulnerable to zip bomb attacks, which could potentially cause denial of service (DoS). We recommend that you sanitize input archive files before extracting them.