GHSA-2xwp-m7mq-7q3r – aws-encryption-sdk-cli

Package

Manager: pip
Name: aws-encryption-sdk-cli
Vulnerable Version: >=0 <1.8.0 || >=2.0.0 <2.1.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

CLI does not correctly implement strict mode In the affected versions, the AWS Encryption CLI operated in "discovery mode" even when "strict mode" was specified. Although decryption only succeeded if the user had permission to decrypt with at least one of the CMKs, decryption could be successful using a CMK that was not included in the user-defined set when the CLI was operating in "strict mode." Affected users should upgrade to Encryption CLI v1.8.x or v2.1.x as soon as possible.

Metadata

Created: 2020-10-28T17:05:38Z
Modified: 2020-10-28T17:04:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-2xwp-m7mq-7q3r/GHSA-2xwp-m7mq-7q3r.json
CWE IDs: ["CWE-326"]
Alternative ID: N/A
Finding: F052
Auto approve: 1