amazon aws-encryption-sdk CVE-2020-8897 vulnerability in Amazon Products
Published on November 16, 2020

Robustness weakness in AWS KMS and Encryption SDKs
A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later.

Github Repository NVD

Vulnerability Analysis

CVE-2020-8897 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Type

Cryptographic Issues

Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.


Products Associated with CVE-2020-8897

stack.watch emails you whenever new vulnerabilities are published in Amazon Aws Encryption Sdk or Amazon Aws. Just hit a watch button to start following.

Amazon Aws Encryption Sdk
 
Amazon Aws
 

Affected Versions

Amazon AWS SDK:

Vulnerable Packages

The following package name and versions may be associated with CVE-2020-8897

Package Manager Vulnerable Package Versions Fixed In
maven com.amazonaws:aws-encryption-sdk-java < 2.0.0 2.0.0
pip aws-encryption-sdk < 2.0.0 2.0.0

Exploit Probability

EPSS
0.08%
Percentile
23.18%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.