Search
Find a vulnerability
Search criteria
4 vulnerabilities found for aws_encryption_sdk by amazon
CVE-2024-23680 (GCVE-0-2024-23680)
Vulnerability from nvd – Published: 2024-01-19 20:44 – Updated: 2026-06-23 16:13
VLAI
Title
AWS Encryption SDK for Java Improper Verification of Cryptographic Signature
Summary
AWS Encryption SDK for Java versions 2.0.0 to 2.2.0 and less than 1.9.0 incorrectly validates some invalid ECDSA signatures.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/aws/aws-encryption-sdk-java/se… | vendor-advisory |
| https://github.com/advisories/GHSA-55xh-53m6-936r | vendor-advisory |
| https://vulncheck.com/advisories/vc-advisory-GHSA… | third-party-advisory |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.440Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://github.com/aws/aws-encryption-sdk-java/security/advisories/GHSA-55xh-53m6-936r"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://github.com/advisories/GHSA-55xh-53m6-936r"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-55xh-53m6-936r"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-23680",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T20:15:24.864727Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T20:17:04.595Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.amazonaws:aws-encryption-sdk-java",
"versions": [
{
"lessThan": "2.2.0",
"status": "affected",
"version": "2.0.0",
"versionType": "maven"
},
{
"lessThan": "1.9.0",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:amazon:aws_encryption_sdk:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.2.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:amazon:aws_encryption_sdk:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.9.0",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAWS Encryption SDK for Java versions 2.0.0 to 2.2.0 and less than 1.9.0 incorrectly validates some invalid ECDSA signatures. \u003cbr\u003e\u003c/p\u003e"
}
],
"value": "AWS Encryption SDK for Java versions 2.0.0 to 2.2.0 and less than 1.9.0 incorrectly validates some invalid ECDSA signatures."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T16:13:13.450Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/aws/aws-encryption-sdk-java/security/advisories/GHSA-55xh-53m6-936r"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/advisories/GHSA-55xh-53m6-936r"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-55xh-53m6-936r"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "AWS Encryption SDK for Java Improper Verification of Cryptographic Signature",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2024-23680",
"datePublished": "2024-01-19T20:44:34.957Z",
"dateReserved": "2024-01-19T17:35:09.984Z",
"dateUpdated": "2026-06-23T16:13:13.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-8897 (GCVE-0-2020-8897)
Vulnerability from nvd – Published: 2020-11-16 11:55 – Updated: 2024-08-04 10:12
VLAI
Title
Robustness weakness in AWS KMS and Encryption SDKs
Summary
A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later.
Severity
4.8 (Medium)
CWE
- CWE-310 - Cryptographic Issues
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/google/security-research/secur… | x_refsource_CONFIRM |
| https://aws.amazon.com/blogs/security/improved-cl… | x_refsource_CONFIRM |
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.984Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"all"
],
"product": "AWS SDK",
"vendor": "Amazon",
"versions": [
{
"lessThan": "2.0.0",
"status": "affected",
"version": "stable",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thai Duong"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-310",
"description": "CWE-310 Cryptographic Issues",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-16T11:55:11.000Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Robustness weakness in AWS KMS and Encryption SDKs",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@google.com",
"ID": "CVE-2020-8897",
"STATE": "PUBLIC",
"TITLE": "Robustness weakness in AWS KMS and Encryption SDKs"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "AWS SDK",
"version": {
"version_data": [
{
"platform": "all",
"version_affected": "\u003c",
"version_name": "stable",
"version_value": "2.0.0"
}
]
}
}
]
},
"vendor_name": "Amazon"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thai Duong"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-310 Cryptographic Issues"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf",
"refsource": "CONFIRM",
"url": "https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf"
},
{
"name": "https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/",
"refsource": "CONFIRM",
"url": "https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2020-8897",
"datePublished": "2020-11-16T11:55:11.000Z",
"dateReserved": "2020-02-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T10:12:10.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23680 (GCVE-0-2024-23680)
Vulnerability from cvelistv5 – Published: 2024-01-19 20:44 – Updated: 2026-06-23 16:13
VLAI
Title
AWS Encryption SDK for Java Improper Verification of Cryptographic Signature
Summary
AWS Encryption SDK for Java versions 2.0.0 to 2.2.0 and less than 1.9.0 incorrectly validates some invalid ECDSA signatures.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/aws/aws-encryption-sdk-java/se… | vendor-advisory |
| https://github.com/advisories/GHSA-55xh-53m6-936r | vendor-advisory |
| https://vulncheck.com/advisories/vc-advisory-GHSA… | third-party-advisory |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.440Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://github.com/aws/aws-encryption-sdk-java/security/advisories/GHSA-55xh-53m6-936r"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://github.com/advisories/GHSA-55xh-53m6-936r"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-55xh-53m6-936r"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-23680",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T20:15:24.864727Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T20:17:04.595Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.amazonaws:aws-encryption-sdk-java",
"versions": [
{
"lessThan": "2.2.0",
"status": "affected",
"version": "2.0.0",
"versionType": "maven"
},
{
"lessThan": "1.9.0",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:amazon:aws_encryption_sdk:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.2.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:amazon:aws_encryption_sdk:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.9.0",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAWS Encryption SDK for Java versions 2.0.0 to 2.2.0 and less than 1.9.0 incorrectly validates some invalid ECDSA signatures. \u003cbr\u003e\u003c/p\u003e"
}
],
"value": "AWS Encryption SDK for Java versions 2.0.0 to 2.2.0 and less than 1.9.0 incorrectly validates some invalid ECDSA signatures."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T16:13:13.450Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/aws/aws-encryption-sdk-java/security/advisories/GHSA-55xh-53m6-936r"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/advisories/GHSA-55xh-53m6-936r"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-55xh-53m6-936r"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "AWS Encryption SDK for Java Improper Verification of Cryptographic Signature",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2024-23680",
"datePublished": "2024-01-19T20:44:34.957Z",
"dateReserved": "2024-01-19T17:35:09.984Z",
"dateUpdated": "2026-06-23T16:13:13.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-8897 (GCVE-0-2020-8897)
Vulnerability from cvelistv5 – Published: 2020-11-16 11:55 – Updated: 2024-08-04 10:12
VLAI
Title
Robustness weakness in AWS KMS and Encryption SDKs
Summary
A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later.
Severity
4.8 (Medium)
CWE
- CWE-310 - Cryptographic Issues
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/google/security-research/secur… | x_refsource_CONFIRM |
| https://aws.amazon.com/blogs/security/improved-cl… | x_refsource_CONFIRM |
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.984Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"all"
],
"product": "AWS SDK",
"vendor": "Amazon",
"versions": [
{
"lessThan": "2.0.0",
"status": "affected",
"version": "stable",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thai Duong"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-310",
"description": "CWE-310 Cryptographic Issues",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-16T11:55:11.000Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Robustness weakness in AWS KMS and Encryption SDKs",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@google.com",
"ID": "CVE-2020-8897",
"STATE": "PUBLIC",
"TITLE": "Robustness weakness in AWS KMS and Encryption SDKs"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "AWS SDK",
"version": {
"version_data": [
{
"platform": "all",
"version_affected": "\u003c",
"version_name": "stable",
"version_value": "2.0.0"
}
]
}
}
]
},
"vendor_name": "Amazon"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thai Duong"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-310 Cryptographic Issues"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf",
"refsource": "CONFIRM",
"url": "https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf"
},
{
"name": "https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/",
"refsource": "CONFIRM",
"url": "https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2020-8897",
"datePublished": "2020-11-16T11:55:11.000Z",
"dateReserved": "2020-02-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T10:12:10.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}