{"url":"http://public2.vulnerablecode.io/api/packages/18975?format=json","purl":"pkg:pypi/aws-encryption-sdk@1.3.2","type":"pypi","namespace":"","name":"aws-encryption-sdk","version":"1.3.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.0.0","latest_non_vulnerable_version":"2.0.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35673?format=json","vulnerability_id":"VCID-6szz-puzq-67bx","summary":"A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later.","references":[{"reference_url":"https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/","reference_id":"","reference_type":"","scores":[],"url":"https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/"},{"reference_url":"https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8897","reference_id":"CVE-2020-8897","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8897"},{"reference_url":"https://github.com/advisories/GHSA-wqgp-vphw-hphf","reference_id":"GHSA-wqgp-vphw-hphf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-wqgp-vphw-hphf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18986?format=json","purl":"pkg:pypi/aws-encryption-sdk@2.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aws-encryption-sdk@2.0.0"}],"aliases":["CVE-2020-8897","GHSA-wqgp-vphw-hphf","PYSEC-2020-261"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6szz-puzq-67bx"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aws-encryption-sdk@1.3.2"}