Home

Description

An overly-permissive IAM trust policy in the Harmonix on AWS framework may allow IAM principals in the same AWS account to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any IAM principal in the same AWS account with sts:AssumeRole permissions to assume the role with administrative privileges. We recommend customers upgrade to Harmonix on AWS v0.4.2 or later if you have deployed the framework using versions v0.3.0 through v0.4.1.

PUBLISHED Reserved 2025-12-10 | Published 2025-12-15 | Updated 2025-12-16 | Assigner AMZN




HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-266 Incorrect Privilege Assignment

Product status

Default status
unaffected

0.3.0 (semver) before 0.4.2
affected

References

github.com/awslabs/harmonix/pull/189 patch

aws.amazon.com/security/security-bulletins/AWS-2025-031/ vendor-advisory

github.com/...rmonix/security/advisories/GHSA-qm86-gqrq-mqcw third-party-advisory

cve.org (CVE-2025-14503)

nvd.nist.gov (CVE-2025-14503)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.