com.amazonaws:aws-dynamodb-encryption-java@1.11.1 vulnerabilities

latest version

2.0.3
latest non vulnerable version

2.0.3
first published

8 years ago
latest version published

3 years ago
licenses detected
- Apache-2.0
  [0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the com.amazonaws:aws-dynamodb-encryption-java package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Improper Authorization com.amazonaws:aws-dynamodb-encryption-java is a package that supports encryption and signing of your data when stored in Amazon DynamoDB. Affected versions of this package are vulnerable to Improper Authorization. This concerns users of `MostRecentProvider` in the DynamoDB Encryption Client with a key provider like AWS Key Management Service that allows for permissions on keys to be modified. When key usage permissions are changed at the key provider, time-based key reauthorization logic in `MostRecentProvider` does not reauthorize the use of the key. This creates the potential for keys to be used in the DynamoDB Encryption Client after permissions to do so were revoked at the key provider. Workarounds: Users who cannot upgrade to use the `CachingMostRecentProvider` can call `clear()` on the cache to manually flush all of its contents. Next use of the key will force a re-validation to occur with the key provider. How to fix Improper Authorization? Upgrade `com.amazonaws:aws-dynamodb-encryption-java` to version 1.15.0 or higher.	[,1.15.0)

Improper Authorization

com.amazonaws:aws-dynamodb-encryption-java is a package that supports encryption and signing of your data when stored in Amazon DynamoDB.

Affected versions of this package are vulnerable to Improper Authorization. This concerns users of MostRecentProvider in the DynamoDB Encryption Client with a key provider like AWS Key Management Service that allows for permissions on keys to be modified.

When key usage permissions are changed at the key provider, time-based key reauthorization logic in MostRecentProvider does not reauthorize the use of the key. This creates the potential for keys to be used in the DynamoDB Encryption Client after permissions to do so were revoked at the key provider.

Workarounds:

Users who cannot upgrade to use the CachingMostRecentProvider can call clear() on the cache to manually flush all of its contents. Next use of the key will force a re-validation to occur with the key provider.

How to fix Improper Authorization?

Upgrade com.amazonaws:aws-dynamodb-encryption-java to version 1.15.0 or higher.

[,1.15.0)

Go back to all versions of this package

com.amazonaws:aws-dynamodb-encryption-java@1.11.1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

Workarounds: