CVE-2021-40828

MEDIUM LAB

AWS IoT Device SDK v2 < 1.3.3/1.5.18/1.12.7/1.5.3 - Improper Certificate Validation on Windows

Title source: llm
STIX 2.1

Description

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on Windows. This issue has been addressed in aws-c-io submodule versions 0.9.13 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.3.3 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.5.18 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on Microsoft Windows.

References (5)

Core 5

Scores

CVSS v3 6.3
EPSS 0.0010
EPSS Percentile 27.5%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull mcr.microsoft.com/windows:1809
+2 more repos

Details

CWE
CWE-295
Status published
Products (8)
amazon/amazon_web_services_aws-c-io < 0.9.13
amazon/amazon_web_services_internet_of_things_device_software_development_kit_v2 < 1.12.7
amazon/amazon_web_services_internet_of_things_device_software_development_kit_v2 < 1.3.3
amazon/amazon_web_services_internet_of_things_device_software_development_kit_v2 < 1.5.1
amazon/amazon_web_services_internet_of_things_device_software_development_kit_v2 < 1.5.18
npm/aws-iot-device-sdk-v2 0 - 1.5.1npm
pypi/awsiotsdk 0 - 1.5.18PyPI
software.amazon.awssdk.iotdevicesdk/aws-iot-device-sdk 0 - 1.3.3Maven
Published Nov 23, 2021
Tracked Since Feb 18, 2026