Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS03NDNyLTVnOTItNXZnZs0YEw

High CVSS: 7.3 EPSS: 0.00102% (0.2918 Percentile) EPSS:
Permalink JSON

Improper certificate management in AWS IoT Device SDK v2

Affected Packages Affected Versions Fixed Versions
pypi:awsiotsdk
PURL: pkg:pypi/awsiotsdk
< 1.6.1 1.6.1
18 Dependent packages
76 Dependent repositories
395,746 Downloads last month

Affected Version Ranges

All affected versions

0.2.4, 0.2.9, 0.3.0, 1.0.2, 1.0.3, 1.0.5, 1.0.6, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.10, 1.5.11, 1.5.12, 1.5.13, 1.5.14, 1.5.15, 1.5.16, 1.5.17, 1.5.18, 1.6.0

All unaffected versions

1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.10.0, 1.10.3, 1.10.4, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.5, 1.11.6, 1.11.7, 1.11.8, 1.11.9, 1.11.10, 1.12.0, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.13.0, 1.14.0, 1.14.1, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.15.4, 1.16.0, 1.17.0, 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.21.1, 1.21.2, 1.21.4, 1.21.5, 1.22.0, 1.22.1, 1.22.2, 1.23.0, 1.24.0
npm:aws-iot-device-sdk-v2
PURL: pkg:npm/aws-iot-device-sdk-v2
< 1.5.3 1.5.3
32 Dependent packages
68 Dependent repositories
260,453 Downloads last month

Affected Version Ranges

All affected versions

0.1.0, 1.0.0, 1.0.1, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.5.0, 1.5.1, 1.5.2

All unaffected versions

1.5.3, 1.5.4, 1.5.5, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.8.10, 1.8.11, 1.9.0, 1.9.2, 1.9.4, 1.9.5, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.14.0, 1.15.0, 1.16.0, 1.16.1, 1.16.2, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.19.3, 1.19.5, 1.19.6, 1.20.0, 1.20.1, 1.21.0, 1.21.1, 1.21.3, 1.21.4, 1.21.5, 1.22.0, 1.23.0
maven:software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk < 1.4.2 1.4.2
3 Dependent packages
20 Dependent repositories

Affected Version Ranges

All affected versions

0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.2.13, 1.2.14, 1.2.15, 1.2.16, 1.2.17, 1.2.18, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1

All unaffected versions

1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.5, 1.10.6, 1.11.0, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.11.6, 1.12.0, 1.12.1, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 1.17.5, 1.17.6, 1.18.0, 1.18.1, 1.19.0, 1.19.1, 1.20.0, 1.20.1, 1.20.2, 1.20.4, 1.20.5, 1.20.6, 1.20.7, 1.21.0, 1.23.0, 1.24.0, 1.25.0, 1.25.1, 1.26.1, 1.27.0

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS. This issue has been addressed in aws-c-io submodule versions 0.10.5 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.4.2 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on macOS. Amazon Web Services AWS-C-IO 0.10.4 on macOS.

References:

Identifiers

GHSA-743r-5g92-5vgf

CVE-2021-40829

Risk

Severity

High

CVSS

CVSS Score: 7.3

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.00102

EPSS Percentile: 0.2918

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/aws/aws-iot-device-sdk-java-v2

Date and time

Published

almost 4 years ago

Updated

10 months ago

API

JSON