VulnerableCode Package Details - pkg:pypi/aws-encryption-sdk@2.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-6rk4-9zxf-vuep Aliases: GHSA-x5h4-9gqw-942j GMS-2021-5	Improper Verification of Cryptographic Signature in aws-encryption-sdk This advisory addresses several LOW severity issues with streaming signed messages and restricting processing of certain types of invalid messages. This ESDK supports a streaming mode where callers may stream the plaintext of signed messages before the ECDSA signature is validated.	2.2.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-6rk4-9zxf-vuep
Aliases:
GHSA-x5h4-9gqw-942j
GMS-2021-5

Improper Verification of Cryptographic Signature in aws-encryption-sdk This advisory addresses several LOW severity issues with streaming signed messages and restricting processing of certain types of invalid messages. This ESDK supports a streaming mode where callers may stream the plaintext of signed messages before the ECDSA signature is validated.

2.2.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-6szz-puzq-67bx	A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later.	CVE-2020-8897 GHSA-wqgp-vphw-hphf PYSEC-2020-261

Vulnerability

Summary

Aliases

VCID-6szz-puzq-67bx

A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later.

CVE-2020-8897
GHSA-wqgp-vphw-hphf
PYSEC-2020-261

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T17:25:18.520195+00:00	GithubOSV Importer	Fixing	VCID-6szz-puzq-67bx	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-wqgp-vphw-hphf/GHSA-wqgp-vphw-hphf.json	38.6.0
2026-06-04T16:21:29.768457+00:00	GitLab Importer	Affected by	VCID-6rk4-9zxf-vuep	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/aws-encryption-sdk/GMS-2021-5.yml	38.6.0
2026-06-02T04:40:12.965120+00:00	GitLab Importer	Fixing	VCID-6szz-puzq-67bx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/aws-encryption-sdk/CVE-2020-8897.yml	38.6.0
2026-06-02T04:07:56.114350+00:00	Pypa Importer	Fixing	VCID-6szz-puzq-67bx	https://github.com/pypa/advisory-database/blob/main/vulns/aws-encryption-sdk/PYSEC-2020-261.yaml	38.6.0