Lookup for vulnerable packages by Package URL.
| Purl | pkg:gem/aws-sdk-s3@1.184.0 |
|---|
| Type | gem |
|---|
| Namespace | |
|---|
| Name | aws-sdk-s3 |
|---|
| Version | 1.184.0 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 1.208.0 |
|---|
| Latest_non_vulnerable_version | 1.208.0 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-ajg3-fasu-wfem |
| vulnerability_id |
VCID-ajg3-fasu-wfem |
| summary |
AWS SDK for Ruby's S3 Encryption Client has a Key Commitment Issue
S3 Encryption Client for Ruby is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3.
When the encrypted data key (EDK) is stored in an "Instruction File" instead of S3's metadata record, the EDK is exposed to an "Invisible Salamanders" attack (https://eprint.iacr.org/2019/016), which could allow the EDK to be replaced with a new key. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/aws/aws-sdk-ruby |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/aws/aws-sdk-ruby |
|
| 4 |
|
| 5 |
| reference_url |
https://rubygems.org/gems/aws-sdk-s3/versions/1.208.0 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N |
|
| 1 |
| value |
6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
6.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-17T20:35:49Z/ |
|
|
| url |
https://rubygems.org/gems/aws-sdk-s3/versions/1.208.0 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://github.com/aws/aws-sdk-ruby/security/advisories/GHSA-2xgq-q749-89fq |
| reference_id |
GHSA-2xgq-q749-89fq |
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3 |
| scoring_elements |
|
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
6.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 5 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 6 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-17T20:35:49Z/ |
|
|
| url |
https://github.com/aws/aws-sdk-ruby/security/advisories/GHSA-2xgq-q749-89fq |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-14762, GHSA-2xgq-q749-89fq
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ajg3-fasu-wfem |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | 3.1 |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:gem/aws-sdk-s3@1.184.0 |
|---|