CVE-2024-28056: 
JavaScript vulnerability analysis and mitigation

CVE-2024-28056 affects AWS Amplify CLI versions prior to 12.10.1 and Amplify Studio. The vulnerability involves incorrect configuration of IAM role trust policies associated with Amplify projects. When the Authentication component was removed from an Amplify project built between August 2019 and January 2024, a Condition property was removed while 'Effect:Allow' remained present, allowing sts:AssumeRoleWithWebIdentity to be available to threat actors without conditions (AWS Security Bulletin, Datadog Labs).

The vulnerability stems from two variants of misconfiguration in IAM role trust policies. In variant one (August 2019 to January 2024), removing the Authentication component would leave the role trust policy with an 'Effect:Allow' statement without the necessary Condition element. In variant two (July 2018 to August 2019), roles were created with a vulnerable default configuration that included an authenticated/unauthenticated condition but lacked proper identity pool restrictions. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD, Datadog Labs).

The vulnerability could allow unauthorized access to AWS resources if exploited. Affected roles maintained their original privileges after becoming vulnerable, potentially giving attackers access to various AWS services depending on the role's permissions. The vulnerability was particularly severe because potentially vulnerable role ARNs were easily discoverable, and the exposure period lasted several years (Datadog Labs).

AWS has implemented multiple mitigations: 1) Released Amplify CLI version 12.10.1 with fixes, 2) Added a mitigation to AWS Security Token Service (STS) to prevent cross-account role assumptions with vulnerable trust policies, 3) Added a mitigation to AWS Identity and Access Management (IAM) control plane to prevent creation of role trust policies without proper conditions. Users should upgrade to Amplify CLI 12.10.1 or higher (AWS Security Bulletin).

The vulnerability was discovered and responsibly disclosed by Datadog Security Research. AWS responded promptly by releasing fixes and implementing backend mitigations. The vulnerability has garnered attention due to its potential impact on AWS Amplify users and the extended period of exposure (Wiz Newsletter).