Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2025-14503
PUBLISHED
More InfoOfficial Page
Assigner-AMZN
Assigner Org ID-ff89ba41-3aa1-4d27-914a-91399e9639e5
View Known Exploited Vulnerability (KEV) details
Published At-15 Dec, 2025 | 19:45
Updated At-16 Dec, 2025 | 23:13
Rejected At-
▼CVE Numbering Authority (CNA)
Overly Permissive Trust Policy in Harmonix on AWS EKS

An overly-permissive IAM trust policy in the Harmonix on AWS framework may allow IAM principals in the same AWS account to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any IAM principal in the same AWS account with sts:AssumeRole permissions to assume the role with administrative privileges. We recommend customers upgrade to Harmonix on AWS v0.4.2 or later if you have deployed the framework using versions v0.3.0 through v0.4.1.

Affected Products
Vendor
AWS
Product
Harmonix on AWS
Default Status
unaffected
Versions
Affected
  • From 0.3.0 before 0.4.2 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-266CWE-266 Incorrect Privilege Assignment
Type: CWE
CWE ID: CWE-266
Description: CWE-266 Incorrect Privilege Assignment
Metrics
VersionBase scoreBase severityVector
4.08.6HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3.17.2HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Version: 4.0
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-233CAPEC-233 Privilege Escalation
CAPEC ID: CAPEC-233
Description: CAPEC-233 Privilege Escalation
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/awslabs/harmonix/pull/189
patch
https://aws.amazon.com/security/security-bulletins/AWS-2025-031/
vendor-advisory
https://github.com/awslabs/harmonix/security/advisories/GHSA-qm86-gqrq-mqcw
third-party-advisory
Hyperlink: https://github.com/awslabs/harmonix/pull/189
Resource:
patch
Hyperlink: https://aws.amazon.com/security/security-bulletins/AWS-2025-031/
Resource:
vendor-advisory
Hyperlink: https://github.com/awslabs/harmonix/security/advisories/GHSA-qm86-gqrq-mqcw
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found