search

aws-solutions / aws-waf-security-automations

This solution automatically deploys a single web access control list (web ACL) with a set of AWS WAF rules designed to filter common web-based attacks.
https://aws.amazon.com/solutions/aws-waf-security-automations
Apache License 2.0
835 stars 358 forks source link

Most if not all of Lambda functions created by version 4.0.0 contain vulnerability in requests package of Python #248

Closed sboonyakiatACR closed 10 months ago

sboonyakiatACR commented 1 year ago

Amazon Inspector detects several Lambda Functions created by WAF Automation version 4.0.0 to contain vulnerable "requests" package for Python. Detail is below

  1. ReputationListParser
  2. MoveS3LogsForPartition
  3. LogParser
  4. Helper
  5. CustomResource
  6. AddAthenaPartitions
  7. CustomTimer

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use rebuild_proxies to reattach the Proxy-Authorization header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the Proxy-Authorization header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.

CVE link: https://nvd.nist.gov/vuln/detail/CVE-2023-32681

aijunpeng commented 1 year ago

Thanks for the issue. Added it to our backlog to investigate further.