← 戻る
CVE-2026-11401
high
CVSS 8.0
AWS Advanced Go Wrapper has Privilege Escalation in Aurora PostgreSQL instance
概要
AWS Advanced Go Wrapper has Privilege Escalation in Aurora PostgreSQL instance
AI要約 openai / gpt-4o
AWS Advanced Go Wrapper for Amazon Aurora PostgreSQLにあるGlobalDatabasePluginの信頼されていない検索パスの問題により、リモートの認証された低権限のユーザーが、別のAmazon RDSユーザーの権限をエスカレーションすることが可能です。これにはrds_superuserも含まれます。
❓ 何が問題か
AWS Advanced Go Wrapper for Amazon Aurora PostgreSQLにおける信頼されていない検索パスの問題。
📍 影響範囲
Amazon Aurora PostgreSQLのAWS Advanced Go WrapperのGlobalDatabasePlugin。
🔥 重要度
信頼されていないパスを利用してAmazon RDSユーザーの権限を不正にエスカレーションできる。
🔧 修正方法
AWS Advanced Go Wrapperの2026-05-26リリースにアップグレード。
🛡️ 暫定回避
情報なし
🔍 検知方法
影響を受けるバージョンのAWS Advanced Go Wrapperを使用しているかを確認。
影響パッケージ
go
github.com/aws/aws-advanced-go-wrapper/awssql/v2
[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.0.1"}]}]
go
github.com/aws/aws-advanced-go-wrapper/xray
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.07"}]}]
go
github.com/aws/aws-advanced-go-wrapper/aws-secrets-manager
[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.1.2"}]}]
go
github.com/aws/aws-advanced-go-wrapper/custom-endpoint
[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.0.4"}]}]
go
github.com/aws/aws-advanced-go-wrapper/federated-auth
[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.1.1"}]}]
go
github.com/aws/aws-advanced-go-wrapper/iam
[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.1.1"}]}]
go
github.com/aws/aws-advanced-go-wrapper/mysql-driver
[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.1.1"}]}]
go
github.com/aws/aws-advanced-go-wrapper/okta
[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.1.1"}]}]
go
github.com/aws/aws-advanced-go-wrapper/pgx-driver
[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.1.1"}]}]
go
github.com/aws/aws-advanced-go-wrapper/otlp
[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.0.7"}]}]
go
github.com/aws/aws-advanced-go-wrapper/auth-helpers
[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.1.1"}]}]
参照URL
- advisory https://nvd.nist.gov/vuln/detail/CVE-2026-11401
- package https://github.com/aws/aws-advanced-go-wrapper
- web ff89ba41-3aa1-4d27-914a-91399e9639e5
- web https://github.com/aws/aws-advanced-go-wrapper/releases/tag/release-2026-05-26
- web https://github.com/aws/aws-advanced-go-wrapper/security/advisories/GHSA-r236-5pc3-3qcp
- web https://aws.amazon.com/security/security-bulletins/2026-039-aws
- web https://github.com/advisories/GHSA-r236-5pc3-3qcp