CVE-2021-40829

MEDIUM LAB

AWS IoT Device SDK v2 Certificate Validation Flaw on macOS

Title source: llm
STIX 2.1

Description

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS. This issue has been addressed in aws-c-io submodule versions 0.10.5 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.4.2 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on macOS. Amazon Web Services AWS-C-IO 0.10.4 on macOS.

References (5)

Core 5

Scores

CVSS v3 6.3
EPSS 0.0010
EPSS Percentile 27.5%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull mcr.microsoft.com/windows:1809
+2 more repos

Details

CWE
CWE-295
Status published
Products (7)
amazon/amazon_web_services_internet_of_things_device_software_development_kit_v2 < 1.12.7
amazon/amazon_web_services_internet_of_things_device_software_development_kit_v2 < 1.4.2
amazon/amazon_web_services_internet_of_things_device_software_development_kit_v2 < 1.5.3
amazon/amazon_web_services_internet_of_things_device_software_development_kit_v2 < 1.6.1
npm/aws-iot-device-sdk-v2 0 - 1.5.3npm
pypi/awsiotsdk 0 - 1.6.1PyPI
software.amazon.awssdk.iotdevicesdk/aws-iot-device-sdk 0 - 1.4.2Maven
Published Nov 23, 2021
Tracked Since Feb 18, 2026