CVE-2020-8897

Advisory

[This advisory has been limited. Please create a free account to view the full advisory.]

Affected package

Affected versions

[This affected versions has been limited. Please create a free account to view the full affected versions.]

Fixed versions

[This fixed versions has been limited. Please create a free account to view the full fixed versions.]

Vulnerability changelog

A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later. See CVE-2020-8897.


CONFIRM:https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/: https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/
CONFIRM:https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf: https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8897
• https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/
• https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf