VYPR
High severityNVD Advisory· Published Nov 16, 2020· Updated Aug 4, 2024

Robustness weakness in AWS KMS and Encryption SDKs

CVE-2020-8897

Description

A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.amazonaws:aws-encryption-sdk-javaMaven
< 2.0.02.0.0
aws-encryption-sdkPyPI
< 2.0.02.0.0

Affected products

3

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.