CVE-2024-23680
MEDIUMAWS Encryption SDK for Java 2.0.0-2.2.0 and <1.9.0 - Improper Verification of Cryptographic Signature
Title source: llmDescription
AWS Encryption SDK for Java versions 2.0.0 to 2.2.0 and less than 1.9.0 incorrectly validates some invalid ECDSA signatures.
References (3)
Core 3
Core References
Patch, Vendor Advisory vendor-advisory
https://github.com/aws/aws-encryption-sdk-java/security/advisories/GHSA-55xh-53m6-936r
Patch, Third Party Advisory third-party-advisory
https://github.com/advisories/GHSA-55xh-53m6-936r
Third Party Advisory third-party-advisory
https://vulncheck.com/advisories/vc-advisory-GHSA-55xh-53m6-936r
Scores
CVSS v3
5.3
EPSS
0.0021
EPSS Percentile
11.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-347
Status
published
Products (2)
amazon/aws_encryption_sdk
< 1.9.0
com.amazonaws/aws-encryption-sdk-java
0 - 1.9.0Maven
Published
Jan 19, 2024
Tracked Since
Feb 18, 2026