Improper Authorization Affecting dynamodb-encryption-sdk package, versions [0,1.3.0)
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-DYNAMODBENCRYPTIONSDK-5591192
- published 22 May 2023
- disclosed 22 May 2023
- credit Unknown
How to fix?
Upgrade dynamodb-encryption-sdk to version 1.3.0 or higher.
Overview
dynamodb-encryption-sdk is a DynamoDB Encryption Client for Python
Affected versions of this package are vulnerable to Improper Authorization such that when key usage permissions are changed at the key provider, time-based key reauthorization logic in MostRecentProvider do not reauthorize the use of the key. This creates the potential for keys to be used in the DynamoDB Encryption Client after permissions to do so were revoked at the key provider.
Workaround
Users who cannot upgrade to use the 'CachingMostRecentProvider' can call 'clear()' on the cache to manually flush all of its contents. Next use of the key will force a re-validation to occur with the key provider.