CVE-2023-35165: 
JavaScript vulnerability analysis and mitigation

AWS Cloud Development Kit (AWS CDK) versions aws-cdk-lib 2.0.0 to 2.80.0 and @aws-cdk/aws-eks 1.57.0 to 1.202.0 contain a security vulnerability where the eks.Cluster and eks.FargateCluster constructs create roles with overly permissive trust policies. The vulnerability was disclosed in June 2023 and affects the AWS CDK framework used for defining cloud infrastructure in code (GitHub Advisory).

The vulnerability involves two roles with overly permissive trust policies: 1) The CreationRole, used by lambda handlers to create clusters and deploy Kubernetes resources, affects users with CDK version 1.62.0 and higher. 2) The default MastersRole, used for kubectl commands when mastersRole property isn't provided, affects users with CDK version 1.57.0 and higher. Both roles use the account root principal in their trust policy, allowing any identity in the account with appropriate sts:AssumeRole permissions to assume these roles (GitHub Issue).

An identity with access to a role that has the appropriate sts:AssumeRole permission can gain greater than intended access to the cluster. This could potentially lead to unauthorized access to Kubernetes resources and cluster management capabilities (GitHub Advisory).

The issue has been fixed in versions v1.202.0 and v2.80.0, which no longer use the account root principal and instead restrict the trust policy to specific roles of lambda handlers. For the MastersRole, users can avoid the vulnerability by explicitly providing a role using the mastersRole property. There is no workaround available for the CreationRole issue (GitHub Advisory).