com.amazonaws:aws-encryption-sdk-java 1.3.1-STAGING vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the com.amazonaws:aws-encryption-sdk-java package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Improper Verification of Cryptographic Signature com.amazonaws:aws-encryption-sdk-java is an AWS Encryption SDK for Java Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature. The ESDK supports a streaming mode where callers may stream the plaintext of signed messages before the ECDSA signature is validated.These signatures provide defense in depth and there is no impact on the integrity of decrypted plaintext. Without validating the ECDSA signature, an actor with trusted KMS permissions to decrypt a message may also be able to encrypt messages. How to fix Improper Verification of Cryptographic Signature? Upgrade `com.amazonaws:aws-encryption-sdk-java` to version 2.2.0, 1.9.0 or higher.	[2.0.0,2.2.0)[,1.9.0)
M Inadequate Encryption Strength com.amazonaws:aws-encryption-sdk-java is an AWS Encryption SDK for Java Affected versions of this package are vulnerable to Inadequate Encryption Strength. A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript. Due to the non-committing property of `AES-GCM` (and other `AEAD` ciphers such as `AES-GCM-SIV` or `(X)ChaCha20Poly1305`) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. How to fix Inadequate Encryption Strength? Upgrade `com.amazonaws:aws-encryption-sdk-java` to version 2.0.0 or higher.	[,2.0.0)

Vulnerability

Vulnerable Version

Improper Verification of Cryptographic Signature

com.amazonaws:aws-encryption-sdk-java is an AWS Encryption SDK for Java

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature. The ESDK supports a streaming mode where callers may stream the plaintext of signed messages before the ECDSA signature is validated.These signatures provide defense in depth and there is no impact on the integrity of decrypted plaintext. Without validating the ECDSA signature, an actor with trusted KMS permissions to decrypt a message may also be able to encrypt messages.

How to fix Improper Verification of Cryptographic Signature?

Upgrade com.amazonaws:aws-encryption-sdk-java to version 2.2.0, 1.9.0 or higher.

[2.0.0,2.2.0)[,1.9.0)

Inadequate Encryption Strength

com.amazonaws:aws-encryption-sdk-java is an AWS Encryption SDK for Java

Affected versions of this package are vulnerable to Inadequate Encryption Strength. A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting.

How to fix Inadequate Encryption Strength?

Upgrade com.amazonaws:aws-encryption-sdk-java to version 2.0.0 or higher.

[,2.0.0)

com.amazonaws:aws-encryption-sdk-java@1.3.1-STAGING vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?