Improper Validation of ECDSA Signatures in AWS Encryption SDK for Java
CVE-2024-23680

5.3MEDIUM

Key Information:

Vendor: Amazon
Status: Aws Encryption Sdk
Vendor: CVE Published:; 19 January 2024

What is CVE-2024-23680?

The AWS Encryption SDK for Java versions ranging from 2.0.0 to 2.2.0 and any versions less than 1.9.0 are affected by a vulnerability that arises from inadequate validation of certain invalid ECDSA signatures. This flaw could potentially allow an attacker to exploit the improper signature validation, leading to unauthorized access or manipulation of sensitive data. AWS recommends reviewing the affected versions and applying necessary updates to mitigate risks associated with this vulnerability.

References

https://github.com/aws/aws-encryption-sdk-java/security/a...

https://github.com/advisories/GHSA-55xh-53m6-936r

https://vulncheck.com/advisories/vc-advisory-GHSA-55xh-53...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 19, 2024

Amazon

What is CVE-2024-23680?

References

CVSS V3.1

Timeline