High severityNVD Advisory· Published Nov 22, 2021· Updated Aug 4, 2024

TLS hostname validation issues within AWS IoT Device SDKs on macOS

CVE-2021-40829

Description

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS. This issue has been addressed in aws-c-io submodule versions 0.10.5 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.4.2 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on macOS. Amazon Web Services AWS-C-IO 0.10.4 on macOS.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdkMaven	< 1.4.2	1.4.2
aws-iot-device-sdk-v2npm	< 1.5.3	1.5.3
awsiotsdkPyPI	< 1.6.1	1.6.1

Affected products

Amazon (company)/Aws Iot Device Sdk V2 For Node.jsv5
Range: unspecified

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-743r-5g92-5vgfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-40829ghsaADVISORY
github.com/aws/aws-iot-device-sdk-java-v2/commits/v1.4.2ghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-862.yamlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000