com.amazonaws:aws-dynamodb-encryption-java@1.14.1 vulnerabilities

latest version

2.0.3

latest non vulnerable version

2.0.3

first published

8 years ago

latest version published

3 years ago

licenses detected

Apache-2.0
[0,)

package registry

View on Maven Central Repository

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the com.amazonaws:aws-dynamodb-encryption-java package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Improper Authorization com.amazonaws:aws-dynamodb-encryption-java is a package that supports encryption and signing of your data when stored in Amazon DynamoDB. Affected versions of this package are vulnerable to Improper Authorization. This concerns users of `MostRecentProvider` in the DynamoDB Encryption Client with a key provider like AWS Key Management Service that allows for permissions on keys to be modified. When key usage permissions are changed at the key provider, time-based key reauthorization logic in `MostRecentProvider` does not reauthorize the use of the key. This creates the potential for keys to be used in the DynamoDB Encryption Client after permissions to do so were revoked at the key provider. Workarounds: Users who cannot upgrade to use the `CachingMostRecentProvider` can call `clear()` on the cache to manually flush all of its contents. Next use of the key will force a re-validation to occur with the key provider. How to fix Improper Authorization? Upgrade `com.amazonaws:aws-dynamodb-encryption-java` to version 1.15.0 or higher.	[,1.15.0)

Improper Authorization

com.amazonaws:aws-dynamodb-encryption-java is a package that supports encryption and signing of your data when stored in Amazon DynamoDB.

Affected versions of this package are vulnerable to Improper Authorization. This concerns users of MostRecentProvider in the DynamoDB Encryption Client with a key provider like AWS Key Management Service that allows for permissions on keys to be modified.

When key usage permissions are changed at the key provider, time-based key reauthorization logic in MostRecentProvider does not reauthorize the use of the key. This creates the potential for keys to be used in the DynamoDB Encryption Client after permissions to do so were revoked at the key provider.

Workarounds:

Users who cannot upgrade to use the CachingMostRecentProvider can call clear() on the cache to manually flush all of its contents. Next use of the key will force a re-validation to occur with the key provider.

How to fix Improper Authorization?

Upgrade com.amazonaws:aws-dynamodb-encryption-java to version 1.15.0 or higher.

[,1.15.0)

Go back to all versions of this package