[MAVEN:GHSA-743R-5G92-5VGF] Improper certificate management in AWS IoT Device SDK v2

Severity Moderate

Affected Packages 3

Fixed Packages 3

CVEs 1

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS. This issue has been addressed in aws-c-io submodule versions 0.10.5 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.4.2 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on macOS. Amazon Web Services AWS-C-IO 0.10.4 on macOS.

Package	Affected Version
pkg:maven/software.amazon.awssdk.iotdevicesdk/aws-iot-device-sdk	< 1.4.2
pkg:maven/awsiotsdk	< 1.6.1
pkg:maven/aws-iot-device-sdk-v2	< 1.5.3

Package	Fixed Version
pkg:maven/software.amazon.awssdk.iotdevicesdk/aws-iot-device-sdk	= 1.4.2
pkg:maven/awsiotsdk	= 1.6.1
pkg:maven/aws-iot-device-sdk-v2	= 1.5.3

ID

MAVEN:GHSA-743R-5G92-5VGF

Severity

moderate

URL

https://github.com/advisories/GHSA-743r-5g92-5vgf

Published

2021-11-24T21:11:16
(2 years ago)

Modified

2023-02-01T05:06:24
(19 months ago)

Rights

Maven Security Team

Other Advisories

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2021-40829
			https://github.com/aws/aws-iot-device-sdk-java-v2/commits/v1.4.2
			https://github.com/aws/aws-iot-device-sdk-cpp-v2
			https://github.com/aws/aws-iot-device-sdk-java-v2
			https://github.com/aws/aws-iot-device-sdk-js-v2
			https://github.com/aws/aws-iot-device-sdk-python-v2
			https://github.com/awslabs/aws-c-io/
			https://github.com/advisories/GHSA-743r-5g92-5vgf

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/software.amazon.awssdk.iotdevicesdk/aws-iot-device-sdk	software.amazon.awssdk.iotdevicesdk	aws-iot-device-sdk	< 1.4.2
Fixed	pkg:maven/software.amazon.awssdk.iotdevicesdk/aws-iot-device-sdk	software.amazon.awssdk.iotdevicesdk	aws-iot-device-sdk	= 1.4.2
Affected	pkg:maven/awsiotsdk		awsiotsdk	< 1.6.1
Fixed	pkg:maven/awsiotsdk		awsiotsdk	= 1.6.1
Affected	pkg:maven/aws-iot-device-sdk-v2		aws-iot-device-sdk-v2	< 1.5.3
Fixed	pkg:maven/aws-iot-device-sdk-v2		aws-iot-device-sdk-v2	= 1.5.3

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date