GHSA-5pq3-h73f-66hr: 
JavaScript vulnerability analysis and mitigation

The AWS CDK CodePipeline vulnerability (GHSA-5pq3-h73f-66hr) is a security issue discovered in aws-cdk-lib versions prior to 2.184.0. The vulnerability involves overly broad trust policies in AWS IAM roles created by the CDK CodePipeline construct. When using CDK to create a CodePipeline with the CDK Construct Library, it creates AWS Identity and Access Management (IAM) trust policies that are too permissive, allowing any user with unrestricted sts:AssumeRole permissions to assume the role (GitHub Advisory).

The vulnerability affects the AWS CodePipeline construct's role creation mechanism. When deploying CodePipeline using the CDK Construct Library, it creates several IAM roles, some of which have overly broad trust policies. Specifically, roles like 'PipelineProdPromoteToProd' and 'PipelineSourceYYY' can be assumed by the entire account rather than being restricted to specific services or roles. The vulnerability has been assigned a Low severity rating, affecting versions below 2.184.0 of aws-cdk-lib (GitHub Issue).

The impact of this vulnerability requires an actor to be authenticated in the AWS account and have unrestricted sts:AssumeRole permissions. If exploited, an attacker could gain access to various permissions depending on the pipeline's configured actions, including access to CloudFormation, CodeCommit, Lambda, ECS services, and the S3 bucket containing pipeline build artifacts (GitHub Advisory).

The vulnerability has been patched in aws-cdk-lib version 2.184.0. The fix includes replacing the account root principal with the current pipeline role in the trust policy under the feature flag @aws-cdk/pipelines:reduceStageRoleTrustScope. Users should upgrade to version 2.184.0 or later to address this security issue (GitHub Release).