Product
A low-privilege user with a freshly-provisioned SSO account in Netflix's Lemur certificate management service (versions <= 1.9.0) can exploit a Server-Side Request Forgery (SSRF) vulnerability in the ACME authority creation endpoint to reach the AWS EC2 Instance Metadata Service (IMDS), exfiltrating AWS STS credentials, and leveraging a creator-equality Insecure Direct Object Reference (IDOR) vulnerability for permanent access to PKI private keys, resulting in AWS IAM compromise and persistent certificate access.