low

Encryption SDK vulnerabilities

Published Mon, Sep 28th, 2020
Platforms

Summary

AWS KMS and all versions of AWS Encryption SDKs prior to version 2.0.0 were susceptible to information leakage (an attacker could create ciphertexts that would leak the user’s AWS account ID, encryption context, user agent, and IP address upon decryption), ciphertext forgery (an attacker could create ciphertexts that were accepted by other users) and lack of robustness (an attacker could create ciphertexts that decrypt to different plaintexts for different users).

Affected Services

KMS

Remediation

Update the SDK to the latest secure version.

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Mon, Sep 28th, 2020
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Thai Duong (thaidn), Google