VulnerableCode Package Details - pkg:pypi/aws-encryption-sdk@1.4.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-6rk4-9zxf-vuep Aliases: GHSA-x5h4-9gqw-942j GMS-2021-5	Improper Verification of Cryptographic Signature in aws-encryption-sdk This advisory addresses several LOW severity issues with streaming signed messages and restricting processing of certain types of invalid messages. This ESDK supports a streaming mode where callers may stream the plaintext of signed messages before the ECDSA signature is validated.	1.9.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.2.0 Affected by 0 other vulnerabilities.
VCID-6szz-puzq-67bx Aliases: CVE-2020-8897 GHSA-wqgp-vphw-hphf PYSEC-2020-261	A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later.	2.0.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-6rk4-9zxf-vuep
Aliases:
GHSA-x5h4-9gqw-942j
GMS-2021-5

Improper Verification of Cryptographic Signature in aws-encryption-sdk This advisory addresses several LOW severity issues with streaming signed messages and restricting processing of certain types of invalid messages. This ESDK supports a streaming mode where callers may stream the plaintext of signed messages before the ECDSA signature is validated.

1.9.0
Affected by 1 other vulnerability.

2.2.0
Affected by 0 other vulnerabilities.

VCID-6szz-puzq-67bx
Aliases:
CVE-2020-8897
GHSA-wqgp-vphw-hphf
PYSEC-2020-261

A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later.

2.0.0
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T01:02:31.405134+00:00	GitLab Importer	Affected by	VCID-6szz-puzq-67bx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/aws-encryption-sdk/CVE-2020-8897.yml	38.6.0
2026-06-06T00:43:28.258384+00:00	GitLab Importer	Affected by	VCID-6rk4-9zxf-vuep	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/aws-encryption-sdk/GMS-2021-5.yml	38.6.0
2026-06-05T16:56:37.763476+00:00	PyPI Importer	Affected by	VCID-6szz-puzq-67bx	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-02T04:07:56.095933+00:00	Pypa Importer	Affected by	VCID-6szz-puzq-67bx	https://github.com/pypa/advisory-database/blob/main/vulns/aws-encryption-sdk/PYSEC-2020-261.yaml	38.6.0