GHSA-72fp-w44g-625q
Suggest an improvement- Source
- https://github.com/advisories/GHSA-72fp-w44g-625q
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-72fp-w44g-625q/GHSA-72fp-w44g-625q.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-72fp-w44g-625q
- Published
- 2023-11-09T16:02:51Z
- Modified
- 2024-11-30T05:49:18.569581Z
- Summary
- Signing DynamoDB Sets when using the AWS Database Encryption SDK.
- Details
-
Impact
This advisory addresses an issue when a DynamoDB Set attribute is marked as SIGN_ONLY in the AWS Database Encryption SDK (DB-ESDK) for DynamoDB. This also includes when a Set is part of a List or a Map.
DB-ESDK for DynamoDB supports
SIGN_ONLYandENCRYPT_AND_SIGNattribute actions. In version 3.1.0 and below, when a Set type is assigned aSIGN_ONLYattribute action, there is a chance that signature validation of the record containing a Set will fail on read, even if the Set attributes contain the same values. The probability of a failure depends on the order of the elements in the Set combined with how DynamoDB returns this data, which is undefined.This update addresses the issue by ensuring that any Set values are canonicalized in the same order while written to DynamoDB as when read back from DynamoDB.
Patches
Fixed in version 3.1.1 We recommend all users upgrade as soon as possible.
Workarounds
None
References
For more information on how to address records with Sets marked as
SIGN_ONLYwritten by versions 3.1.0 and below of DB-ESDK, see AWS Database Encryption SDK Decrypt with Permute - Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2023-11-09T16:02:51Z" }- References
-
- https://github.com/aws/aws-database-encryption-sdk-dynamodb-java/security/advisories/GHSA-72fp-w44g-625q
- https://github.com/aws/aws-database-encryption-sdk-dynamodb-java/commit/e3aa016895a3e2533b9a3c1ec88458d6667b3245
- https://github.com/aws/aws-database-encryption-sdk-dynamodb-java
- https://github.com/aws/aws-database-encryption-sdk-dynamodb-java/releases/tag/v3.1.1
Affected packages
Maven / software.amazon.cryptography:aws-database-encryption-sdk-dynamodb
Package
- Name
- software.amazon.cryptography:aws-database-encryption-sdk-dynamodb
- View open source insights on deps.dev
- Purl
- pkg:maven/software.amazon.cryptography/aws-database-encryption-sdk-dynamodb