Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJ4d3AtbTdtcS03cTNy
CLI does not correctly implement strict mode
In the affected versions, the AWS Encryption CLI operated in "discovery mode" even when "strict mode" was specified. Although decryption only succeeded if the user had permission to decrypt with at least one of the CMKs, decryption could be successful using a CMK that was not included in the user-defined set when the CLI was operating in "strict mode."
Affected users should upgrade to Encryption CLI v1.8.x or v2.1.x as soon as possible.
Permalink: https://github.com/advisories/GHSA-2xwp-m7mq-7q3rJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJ4d3AtbTdtcS03cTNy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-2xwp-m7mq-7q3r
References:
- https://github.com/aws/aws-encryption-sdk-cli/security/advisories/GHSA-2xwp-m7mq-7q3r
- https://github.com/aws/aws-encryption-sdk-cli/commit/7d21b8051cab9e52e056fe427d2bff19cf146460
- https://github.com/advisories/GHSA-2xwp-m7mq-7q3r
Blast Radius: 0.0
Affected Packages
pypi:aws-encryption-sdk-cli
Dependent packages: 0Dependent repositories: 6
Downloads: 69,785 last month
Affected Version Ranges: >= 2.0.0, < 2.1.0, < 1.8.0
Fixed in: 2.1.0, 1.8.0
All affected versions: 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.7.0, 2.0.0
All unaffected versions: 1.8.0, 1.9.0, 2.1.0, 2.2.0, 3.0.0, 3.1.0, 4.0.0, 4.1.0