VDB

CVE-2020-8897

CVE-2020-8897 PUBLISHED CVSS 4.800000190734863 MEDIUM

A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later.

EPSS 0.08% · 23.3th percentile

Risk Scores

CVSS 3.1
4.800000190734863
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
EPSS Score
0.08%
23.3th percentile

Affected Products

VendorProductVersions
amazonaws_encryption_sdk0
PyPIaws-encryption-sdk0
AmazonAWS SDKstable
Mavencom.amazonaws:aws-encryption-sdk-java0

Timeline

  • Nov 16, 2020 CVE Published
  • Apr 14, 2021 EPSS Score
  • Jun 23, 2021 EPSS Score
  • Aug 24, 2021 EPSS Score
  • Oct 26, 2021 EPSS Score
  • Jan 6, 2022 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Feb 28, 2022 EPSS Score
  • Apr 1, 2022 EPSS Score
  • May 1, 2022 EPSS Score
  • Jul 3, 2022 EPSS Score
  • Sep 4, 2022 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›