GHSA-qq4x-c6h6-rfxh: 
JavaScript vulnerability analysis and mitigation

The AWS Cloud Development Kit (CDK) library (aws-cdk-lib) contains a vulnerability related to the exposure of sensitive information in log files when using the Cognito UserPoolClient Construct. The issue affects versions greater than 2.37.0 and less than 2.187.0, where the custom resource's SDK API call to 'DescribeCognitoUserPoolClient' logs the full response, including sensitive secrets, in the associated lambda function's log group (GitHub Advisory).

The vulnerability occurs in the CDK Cognito UserPool construct when users generate a secret value for the application client. When the custom resource performs an SDK API call to 'DescribeCognitoUserPoolClient' to retrieve the generated secret, the complete response is logged in the lambda function's log group. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Moderate), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating high confidentiality impact but no integrity or availability impact (GitHub Advisory).

The vulnerability exposes sensitive information to any authenticated user in the account who has read-only permission to access the custom resource's logs. This affects customers who generate secret values within the CDK, but does not impact those generating secret values outside of the CDK. Users can monitor unauthorized access through AWS CloudTrail logs (GitHub Advisory).

The vulnerability has been patched in AWS CDK Library release v2.187.0. Users should upgrade to the latest version and rotate secrets by generating new ones in AWS Secrets Manager. For existing applications, users must upgrade to the latest version, set the feature flag (@aws-cdk/cognito:logUserPoolClientSecretValue) to false, and redeploy the application. As a workaround, users can override the implementation by changing Logging to Logging.withDataHidden() in a custom UserPoolClient class (GitHub Advisory).