{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35673?format=json","vulnerability_id":"VCID-6szz-puzq-67bx","summary":"A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later.","aliases":[{"alias":"CVE-2020-8897"},{"alias":"GHSA-wqgp-vphw-hphf"},{"alias":"PYSEC-2020-261"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59236?format=json","purl":"pkg:maven/com.amazonaws/aws-encryption-sdk-java@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t3wf-pjh5-dqf3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.amazonaws/aws-encryption-sdk-java@2.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/18986?format=json","purl":"pkg:pypi/aws-encryption-sdk@2.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aws-encryption-sdk@2.0.0"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18971?format=json","purl":"pkg:pypi/aws-encryption-sdk@1.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6szz-puzq-67bx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aws-encryption-sdk@1.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/18972?format=json","purl":"pkg:pypi/aws-encryption-sdk@1.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6szz-puzq-67bx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aws-encryption-sdk@1.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/18973?format=json","purl":"pkg:pypi/aws-encryption-sdk@1.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6szz-puzq-67bx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aws-encryption-sdk@1.3.0"},{"url":"http://public2.vulnerablecode.io/api/packages/18974?format=json","purl":"pkg:pypi/aws-encryption-sdk@1.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6szz-puzq-67bx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aws-encryption-sdk@1.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/18975?format=json","purl":"pkg:pypi/aws-encryption-sdk@1.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6szz-puzq-67bx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aws-encryption-sdk@1.3.2"},{"url":"http://public2.vulnerablecode.io/api/packages/18976?format=json","purl":"pkg:pypi/aws-encryption-sdk@1.3.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6szz-puzq-67bx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aws-encryption-sdk@1.3.3"},{"url":"http://public2.vulnerablecode.io/api/packages/18977?format=json","purl":"pkg:pypi/aws-encryption-sdk@1.3.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6szz-puzq-67bx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aws-encryption-sdk@1.3.4"},{"url":"http://public2.vulnerablecode.io/api/packages/18978?format=json","purl":"pkg:pypi/aws-encryption-sdk@1.3.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6szz-puzq-67bx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aws-encryption-sdk@1.3.5"},{"url":"http://public2.vulnerablecode.io/api/packages/18979?format=json","purl":"pkg:pypi/aws-encryption-sdk@1.3.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6szz-puzq-67bx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aws-encryption-sdk@1.3.6"},{"url":"http://public2.vulnerablecode.io/api/packages/18980?format=json","purl":"pkg:pypi/aws-encryption-sdk@1.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6szz-puzq-67bx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aws-encryption-sdk@1.3.7"},{"url":"http://public2.vulnerablecode.io/api/packages/18981?format=json","purl":"pkg:pypi/aws-encryption-sdk@1.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6szz-puzq-67bx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aws-encryption-sdk@1.3.8"},{"url":"http://public2.vulnerablecode.io/api/packages/18982?format=json","purl":"pkg:pypi/aws-encryption-sdk@1.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6szz-puzq-67bx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aws-encryption-sdk@1.4.0"},{"url":"http://public2.vulnerablecode.io/api/packages/18983?format=json","purl":"pkg:pypi/aws-encryption-sdk@1.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6szz-puzq-67bx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aws-encryption-sdk@1.4.1"},{"url":"http://public2.vulnerablecode.io/api/packages/18984?format=json","purl":"pkg:pypi/aws-encryption-sdk@1.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6szz-puzq-67bx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aws-encryption-sdk@1.7.1"},{"url":"http://public2.vulnerablecode.io/api/packages/18985?format=json","purl":"pkg:pypi/aws-encryption-sdk@1.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6szz-puzq-67bx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aws-encryption-sdk@1.9.0"}],"references":[{"reference_url":"https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/","reference_id":"","reference_type":"","scores":[],"url":"https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/"},{"reference_url":"https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8897","reference_id":"CVE-2020-8897","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8897"},{"reference_url":"https://github.com/advisories/GHSA-wqgp-vphw-hphf","reference_id":"GHSA-wqgp-vphw-hphf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-wqgp-vphw-hphf"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":327,"name":"Use of a Broken or Risky Cryptographic Algorithm","description":"The product uses a broken or risky cryptographic algorithm or protocol."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6szz-puzq-67bx"}