dynamodb-encryption-sdk@1.0.7 vulnerabilities

DynamoDB Encryption Client for Python

latest version

3.2.0
latest non vulnerable version

3.2.0
first published

6 years ago
latest version published

a year ago
licenses detected
- Apache-2.0
  [0,)
View dynamodb-encryption-sdk package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the dynamodb-encryption-sdk package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Improper Authorization dynamodb-encryption-sdk is a DynamoDB Encryption Client for Python Affected versions of this package are vulnerable to Improper Authorization such that when key usage permissions are changed at the key provider, time-based key reauthorization logic in MostRecentProvider do not reauthorize the use of the key. This creates the potential for keys to be used in the DynamoDB Encryption Client after permissions to do so were revoked at the key provider. How to fix Improper Authorization? Upgrade `dynamodb-encryption-sdk` to version 1.3.0 or higher.	[0,1.3.0)
M Improper Authorization dynamodb-encryption-sdk is a DynamoDB Encryption Client for Python Affected versions of this package are vulnerable to Improper Authorization. This concerns users of `MostRecentProvider` in the DynamoDB Encryption Client with a key provider like AWS Key Management Service, that allows for permissions on keys to be modified. When key usage permissions are changed at the key provider, time-based key reauthorization logic in `MostRecentProvider` does not reauthorize the use of the key. This creates the potential for keys to be used in the DynamoDB Encryption Client after permissions to do so were revoked at the key provider. Workarounds: Users who cannot upgrade to use the `CachingMostRecentProvider` can call `clear()` on the cache to manually flush all of its contents. Next use of the key will force a re-validation to occur with the key provider. How to fix Improper Authorization? Upgrade `dynamodb-encryption-sdk` to version 1.3.0 or higher.	[,1.3.0)

Improper Authorization

dynamodb-encryption-sdk is a DynamoDB Encryption Client for Python

Affected versions of this package are vulnerable to Improper Authorization such that when key usage permissions are changed at the key provider, time-based key reauthorization logic in MostRecentProvider do not reauthorize the use of the key. This creates the potential for keys to be used in the DynamoDB Encryption Client after permissions to do so were revoked at the key provider.

How to fix Improper Authorization?

Upgrade dynamodb-encryption-sdk to version 1.3.0 or higher.

[0,1.3.0)

Improper Authorization

dynamodb-encryption-sdk is a DynamoDB Encryption Client for Python

Affected versions of this package are vulnerable to Improper Authorization. This concerns users of MostRecentProvider in the DynamoDB Encryption Client with a key provider like AWS Key Management Service, that allows for permissions on keys to be modified.

When key usage permissions are changed at the key provider, time-based key reauthorization logic in MostRecentProvider does not reauthorize the use of the key. This creates the potential for keys to be used in the DynamoDB Encryption Client after permissions to do so were revoked at the key provider.

Workarounds:

Users who cannot upgrade to use the CachingMostRecentProvider can call clear() on the cache to manually flush all of its contents. Next use of the key will force a re-validation to occur with the key provider.

How to fix Improper Authorization?

Upgrade dynamodb-encryption-sdk to version 1.3.0 or higher.

[,1.3.0)

Go back to all versions of this package

dynamodb-encryption-sdk@1.0.7 vulnerabilities

DynamoDB Encryption Client for Python

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Workarounds: