Insecure Permissions Affecting aws-encryption-sdk-cli package, versions [,1.8.0) [2.0.0, 2.1.0)
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-AWSENCRYPTIONSDKCLI-1023592
- published 29 Oct 2020
- disclosed 28 Oct 2020
- credit Unknown
How to fix?
Upgrade aws-encryption-sdk-cli
to version 1.8.0, 2.1.0 or higher.
Overview
aws-encryption-sdk-cli is a This command line tool can be used to encrypt and decrypt files and directories using the AWS Encryption SDK.
Affected versions of this package are vulnerable to Insecure Permissions. In the affected versions, the AWS Encryption CLI operated in "discovery mode" even when "strict mode" was specified. Although decryption only succeeded if the user had permission to decrypt with at least one of the CMKs, decryption could be successful using a CMK that was not included in the user-defined set when the CLI was operating in "strict mode".