Homepage

aws-encryption-sdk@4.0.3

AWS Encryption SDK implementation for Python

  • latest version

    4.0.5

  • latest non vulnerable version

    4.0.5

  • first published

    9 years ago

  • latest version published

    4 days ago

  • licenses detected

  • View aws-encryption-sdk package health on Snyk  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the aws-encryption-sdk package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

    aws-encryption-sdk is an AWS Encryption SDK implementation for Python

    Affected versions of this package are vulnerable to Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') via the shared key cache. An attacker can bypass key commitment policy enforcement by exploiting the caching mechanism, potentially causing ciphertext to be decrypted into multiple different plaintexts.

    Note:

    This is only exploitable if all of the following conditions are met:

    • Two ESDK for Python clients with different commitment policies share a single CachingCryptoMaterialsManager instance within the same process;

    • The client with the weaker commitment policy encrypts first, warming the cache;

    • Both clients use matching encryption contexts;

    • Both clients use the pre-configured default algorithm suite.

    How to fix Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')?

    Upgrade aws-encryption-sdk to version 3.3.1, 4.0.5 or higher.

    [,3.3.1)[4.0.0,4.0.5)
    Go back to all versions of this package