CVE-2024-23680

MEDIUM

Amazon Aws Encryption SDK < 1.9.0 - Signature Verification Bypass

Title source: rule

Description

AWS Encryption SDK for Java versions 2.0.0 to 2.2.0 and less than 1.9.0 incorrectly validates some invalid ECDSA signatures.

References (3)

Scores

CVSS v3 5.3
EPSS 0.0009
EPSS Percentile 26.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Classification

CWE
CWE-347
Status published

Affected Products (2)

amazon/aws_encryption_sdk < 1.9.0
com.amazonaws/aws-encryption-sdk-java < 1.9.0Maven

Timeline

Published Jan 19, 2024
Tracked Since Feb 18, 2026