aws-secrets-manager-rotation-lambdas icon indicating copy to clipboard operation
aws-secrets-manager-rotation-lambdas copied to clipboard
verified publisher icon aws-samples

Secrets rotation lambda is affected by CWE-117 and CWE-93

Open Niffy opened this issue 9 months ago • 3 comments

When looking in AWS inspector it appears the lambda for secret rotation is vulnerable to the following log injection CWEs CWE-117 CWE-93 

User-provided inputs must be sanitized before they are logged. An attacker can use unsanitized input to break a log's integrity, forge log entries, or bypass log monitors.

It marks the severity as high.

The finding occurs here https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/master/SecretsManagerRDSPostgreSQLRotationSingleUser/lambda_function.py#L59

logger.error("Secret %s is not enabled for rotation" % arn)

Having this resolved would be great and means we have no vulnerabilities that are high on our account.

Niffy avatar Feb 21 '25 17:02 Niffy

Echoing: High Severity.

PR # 159 created. https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/pull/159

seetamraju avatar Apr 15 '25 16:04 seetamraju

These rotation lambdas do not take end user defined input. This is not a high severity issue.

simonmarty avatar Sep 03 '25 20:09 simonmarty

Please fix this Inspector finding, we have this as well in big enterprise company.

kellerassel007 avatar Oct 09 '25 10:10 kellerassel007