CVE
GHSA-q2f7-m237-v562
@hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators
Impact: @hulumi/policies versions before 1.3.2 only checked exact AWS IAM StringLike/StringEquals condition operator keys in GOIDC1. Set-qualified operators such as ForAnyValue:StringLike could hide wildcard GitHub Actions OIDC sub conditions from the mandatory guardrail.
Patched in 1.3.2: the AWS trust-policy inspector now evaluates set-qualified string operators and rejects unsafe GitHub OIDC sub conditions.
Remediation: upgrade @hulumi/policies to 1.3.2 or later.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
C
H
U
-
Related Resources
No items found.
References
https://github.com/kerberosmansour/hulumi/security/advisories/GHSA-q2f7-m237-v562, https://github.com/kerberosmansour/hulumi
Basic Information
Ecosystem
