Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJ4d3AtbTdtcS03cTNy

CLI does not correctly implement strict mode

In the affected versions, the AWS Encryption CLI operated in "discovery mode" even when "strict mode" was specified. Although decryption only succeeded if the user had permission to decrypt with at least one of the CMKs, decryption could be successful using a CMK that was not included in the user-defined set when the CLI was operating in "strict mode."

Affected users should upgrade to Encryption CLI v1.8.x or v2.1.x as soon as possible.

Permalink: https://github.com/advisories/GHSA-2xwp-m7mq-7q3r
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJ4d3AtbTdtcS03cTNy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 3 years ago
Updated: over 1 year ago


Identifiers: GHSA-2xwp-m7mq-7q3r
References: Repository: https://github.com/aws/aws-encryption-sdk-cli
Blast Radius: 0.0

Affected Packages

pypi:aws-encryption-sdk-cli
Dependent packages: 0
Dependent repositories: 6
Downloads: 53,295 last month
Affected Version Ranges: >= 2.0.0, < 2.1.0, < 1.8.0
Fixed in: 2.1.0, 1.8.0
All affected versions: 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.7.0, 2.0.0
All unaffected versions: 1.8.0, 1.9.0, 2.1.0, 2.2.0, 3.0.0, 3.1.0, 4.0.0, 4.1.0