Skip to content

CLI does not correctly implement strict mode

Low severity GitHub Reviewed Published Oct 27, 2020 in aws/aws-encryption-sdk-cli • Updated Jan 9, 2023

Package

pip aws-encryption-sdk-cli (pip)

Affected versions

< 1.8.0
>= 2.0.0, < 2.1.0

Patched versions

1.8.0
2.1.0

Description

In the affected versions, the AWS Encryption CLI operated in "discovery mode" even when "strict mode" was specified. Although decryption only succeeded if the user had permission to decrypt with at least one of the CMKs, decryption could be successful using a CMK that was not included in the user-defined set when the CLI was operating in "strict mode."

Affected users should upgrade to Encryption CLI v1.8.x or v2.1.x as soon as possible.

References

@robin-aws robin-aws published to aws/aws-encryption-sdk-cli Oct 27, 2020
Reviewed Oct 28, 2020
Published to the GitHub Advisory Database Oct 28, 2020
Last updated Jan 9, 2023

Severity

Low

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-2xwp-m7mq-7q3r

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.