Home > Vulnerability Database > CVE-2020-8897

Mend.io Vulnerability Database

CVE-2020-8897

Good to know:

Date: November 16, 2020

A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later.

Language: Python

Severity Score

4.8

Related Resources (6)

Url: https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/

Url: https://github.com/pypa/advisory-database/tree/main/vulns/aws-encryption-sdk/PYSEC-2020-261.yaml

Url: https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-8897

Url: https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment

Url: https://www.mend.io/vulnerability-database/CVE-2020-8897

Severity Score

4.8

Weakness Type (CWE)

Cryptographic Issues

CWE-310

Use of a Broken or Risky Cryptographic Algorithm

CWE-327

Top Fix

Upgrade Version

Upgrade to version @aws-crypto/client-node - 1.9.0;@aws-crypto/caching-materials-manager-node - 1.9.0;@aws-crypto/material-management-browser - 1.9.0;@aws-crypto/kms-keyring-node - 1.9.0;@aws-crypto/raw-aes-keyring-browser - 1.9.0;@aws-crypto/integration-node - 1.9.0;@aws-crypto/raw-rsa-keyring-browser - 1.9.0;@aws-crypto/material-management-node - 1.9.0;@aws-crypto/kms-keyring-browser - 1.9.0;@aws-crypto/encrypt-node - 1.9.0;@aws-crypto/raw-rsa-keyring-node - 1.9.0;aws-encryption-sdk - 1.9.0;@aws-crypto/client-browser - 1.9.0;@aws-crypto/material-management - 1.9.0;@aws-crypto/raw-keyring - 1.9.0;@aws-crypto/caching-materials-manager-browser - 1.9.0;@aws-crypto/example-node - 1.9.0;@aws-crypto/kms-keyring - 1.9.0;@aws-crypto/integration-browser - 1.9.0;@aws-crypto/encrypt-browser - 1.9.0;@aws-crypto/serialize - 1.9.0;@aws-crypto/example-browser - 1.9.0;@aws-crypto/raw-aes-keyring-node - 1.9.0;@aws-crypto/decrypt-browser - 1.9.0;@aws-crypto/decrypt-node - 1.9.0;@aws-crypto/cache-material - 1.9.0;com.amazonaws:aws-encryption-sdk-java:1.9.0

Learn More

CVSS v3.1

Base Score:	4.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	5.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	SINGLE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-8897

Good to know:

Date: November 16, 2020

Language: Python

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?