Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secrets rotation lambda is affected by CWE-117 and CWE-93 #157

Open
Niffy opened this issue Feb 21, 2025 · 0 comments
Open

Secrets rotation lambda is affected by CWE-117 and CWE-93 #157

Niffy opened this issue Feb 21, 2025 · 0 comments

Comments

@Niffy
Copy link

Niffy commented Feb 21, 2025

When looking in AWS inspector it appears the lambda for secret rotation is vulnerable to the following log injection CWEs
CWE-117
CWE-93 

User-provided inputs must be sanitized before they are logged. An attacker can use unsanitized input to break a log's integrity, forge log entries, or bypass log monitors.

It marks the severity as high.

The finding occurs here
https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/master/SecretsManagerRDSPostgreSQLRotationSingleUser/lambda_function.py#L59

logger.error("Secret %s is not enabled for rotation" % arn)

Having this resolved would be great and means we have no vulnerabilities that are high on our account.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Niffy