Improper Authorization Affecting com.amazonaws:aws-dynamodb-encryption-java package, versions [,1.15.0)


0.0
medium
  • Attack Complexity

    Low

  • User Interaction

    Required

  • Confidentiality

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-COMAMAZONAWS-1070810

  • published

    9 Feb 2021

  • disclosed

    8 Feb 2021

  • credit

    Unknown

How to fix?

Upgrade com.amazonaws:aws-dynamodb-encryption-java to version 1.15.0 or higher.

Overview

com.amazonaws:aws-dynamodb-encryption-java is a package that supports encryption and signing of your data when stored in Amazon DynamoDB.

Affected versions of this package are vulnerable to Improper Authorization. This concerns users of MostRecentProvider in the DynamoDB Encryption Client with a key provider like AWS Key Management Service that allows for permissions on keys to be modified.

When key usage permissions are changed at the key provider, time-based key reauthorization logic in MostRecentProvider does not reauthorize the use of the key. This creates the potential for keys to be used in the DynamoDB Encryption Client after permissions to do so were revoked at the key provider.

Workarounds:

Users who cannot upgrade to use the CachingMostRecentProvider can call clear() on the cache to manually flush all of its contents. Next use of the key will force a re-validation to occur with the key provider.

References