[MAVEN:GHSA-GVC7-GJRW-HJ65] Improper Verification of Cryptographic Signature in aws-encryption-sdk-java

Severity Moderate

Affected Packages 2

Fixed Packages 2

CVEs 1

AWS Encryption SDK for Java versions 2.0.0 to 2.2.0 and less than 1.9.0 incorrectly validates some invalid ECDSA signatures.

Package	Affected Version
pkg:maven/com.amazonaws/aws-encryption-sdk-java	>= 2.0.0, < 2.2.0
pkg:maven/com.amazonaws/aws-encryption-sdk-java	< 1.9.0

Package	Fixed Version
pkg:maven/com.amazonaws/aws-encryption-sdk-java	= 2.2.0
pkg:maven/com.amazonaws/aws-encryption-sdk-java	= 1.9.0

ID: MAVEN:GHSA-GVC7-GJRW-HJ65
Severity: moderate
URL: https://github.com/advisories/GHSA-gvc7-gjrw-hj65
Published: 2024-01-19T21:30:36
(8 months ago)
Modified: 2024-01-23T14:36:15
(7 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://github.com/aws/aws-encryption-sdk-java/security/advisories/GHSA-55xh-53m6-936r
			https://nvd.nist.gov/vuln/detail/CVE-2024-23680
			https://github.com/advisories/GHSA-55xh-53m6-936r
			https://vulncheck.com/advisories/vc-advisory-GHSA-55xh-53m6-936r
			https://github.com/advisories/GHSA-gvc7-gjrw-hj65

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/com.amazonaws/aws-encryption-sdk-java	com.amazonaws	aws-encryption-sdk-java	>= 2.0.0 < 2.2.0
Fixed	pkg:maven/com.amazonaws/aws-encryption-sdk-java	com.amazonaws	aws-encryption-sdk-java	= 2.2.0
Affected	pkg:maven/com.amazonaws/aws-encryption-sdk-java	com.amazonaws	aws-encryption-sdk-java	< 1.9.0
Fixed	pkg:maven/com.amazonaws/aws-encryption-sdk-java	com.amazonaws	aws-encryption-sdk-java	= 1.9.0

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date