@aws-crypto/decrypt-node@1.0.5 vulnerabilities
-
latest version
4.0.2
-
latest non vulnerable version
-
first published
5 years ago
-
latest version published
25 days ago
-
licenses detected
- >=0
Direct Vulnerabilities
Known vulnerabilities in the @aws-crypto/decrypt-node package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
@aws-crypto/decrypt-node is an AWS Encryption SDK for Javascript and Node.js Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature. The ESDK uses AES-GCM encryption and all plaintext is verified before being released to a caller. There is no impact on the integrity of the ciphertext or decrypted plaintext, but some callers may rely on the the ECDSA signature for non-repudiation. Without validating the ECDSA signature, an actor with trusted KMS permissions to decrypt a message may also be able to encrypt messages. How to fix Improper Verification of Cryptographic Signature? Upgrade |
>=2.0.0 <2.2.0
<1.9.0
|