CVE-2020-8897 - OpenCVE

A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Amazon	Aws Encryption Sdk

Configuration 1 [-]

cpe:2.3:a:amazon:aws_encryption_sdk:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/
https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf

History

No history.

MITRE

Status: PUBLISHED

Assigner: Google

Published: 2020-11-16T11:55:11

Updated: 2024-08-04T10:12:10.984Z

Reserved: 2020-02-12T00:00:00

Link: CVE-2020-8897

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-11-16T12:15:14.557

Modified: 2020-12-02T16:06:24.447

Link: CVE-2020-8897

Redhat

No data.

{"containers": {"cna": {"affected": [{"platforms": ["all"], "product": "AWS SDK", "vendor": "Amazon", "versions": [{"lessThan": "2.0.0", "status": "affected", "version": "stable", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Thai Duong"}], "descriptions": [{"lang": "en", "value": "A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-310", "description": "CWE-310 Cryptographic Issues", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-16T11:55:11", "orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/"}], "source": {"discovery": "EXTERNAL"}, "title": "Robustness weakness in AWS KMS and Encryption SDKs", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@google.com", "ID": "CVE-2020-8897", "STATE": "PUBLIC", "TITLE": "Robustness weakness in AWS KMS and Encryption SDKs"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "AWS SDK", "version": {"version_data": [{"platform": "all", "version_affected": "<", "version_name": "stable", "version_value": "2.0.0"}]}}]}, "vendor_name": "Amazon"}]}}, "credit": [{"lang": "eng", "value": "Thai Duong"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-310 Cryptographic Issues"}]}]}, "references": {"reference_data": [{"name": "https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf", "refsource": "CONFIRM", "url": "https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf"}, {"name": "https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/", "refsource": "CONFIRM", "url": "https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:12:10.984Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/"}]}]}, "cveMetadata": {"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "assignerShortName": "Google", "cveId": "CVE-2020-8897", "datePublished": "2020-11-16T11:55:11", "dateReserved": "2020-02-12T00:00:00", "dateUpdated": "2024-08-04T10:12:10.984Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amazon:aws_encryption_sdk:*:*:*:*:*:*:*:*", "matchCriteriaId": "8491D752-1C83-4B0B-941B-3AD03C000A2D", "versionEndExcluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de robustez d\u00e9bil en los AWS Encryption SDKs para Java, Python, C y JavaScript versiones anteriores a 2.0.0. Debido a la propiedad non-committing de AES-GCM (y otros cifrados AEAD como AES-GCM-SIV o (X)ChaCha20Poly1305) usados por los SDK para cifrar mensajes, un atacante puede dise\u00f1ar un texto cifrado \u00fanico que descifrar\u00e1 a m\u00faltiples resultados, y se vuelve especialmente relevante en un entorno de m\u00faltiples destinatarios. Recomendamos a usuarios actualizar su SDK versiones hasta 2.0.0 o posteriores"}], "id": "CVE-2020-8897", "lastModified": "2020-12-02T16:06:24.447", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2020-11-16T12:15:14.557", "references": [{"source": "cve-coordination@google.com", "tags": ["Vendor Advisory"], "url": "https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment/"}, {"source": "cve-coordination@google.com", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-327"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-310"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}