Robustness weakness in AWS KMS and Encryption SDKs
CVE-2020-8897

4.8MEDIUM

Key Information:

Vendor: Amazon
Status: Aws Sdk
Vendor: CVE Published:; 16 November 2020

What is CVE-2020-8897?

A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later.

Affected Version(s)

AWS SDK all stable < 2.0.0

References

https://github.com/google/security-research/security/advi...

x_refsource_CONFIRM

https://aws.amazon.com/blogs/security/improved-client-sid...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 16, 2020
Vulnerability Reserved
Feb 12, 2020

Credit

Thai Duong