Vulnerability DatabaseCVE-2021-40828
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2021-40828
November 22, 2021
Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on Windows. This issue has been addressed in aws-c-io submodule versions 0.9.13 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.3.3 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.5.18 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on Microsoft Windows.
Affected Packages
software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk (JAVA):
Affected version(s) >=0.2.3 <1.3.3
Fix Suggestion:
Update to version 1.3.3
aws-iot-device-sdk-v2 (NPM):
Affected version(s) >=0.0.1-security <1.5.1
Fix Suggestion:
Update to version 1.5.1
awsiotsdk (PYTHON):
Affected version(s) >=0.2.4 <1.5.18
Fix Suggestion:
Update to version 1.5.18
Related ResourcesĀ (12)
https://github.com/aws/aws-iot-device-sdk-js-v2/commit/4be41394f1aee979e6f4b012fcb01eecabd0c08d
https://github.com/aws/aws-iot-device-sdk-python-v2
https://github.com/aws/aws-iot-device-sdk-cpp-v2
https://github.com/awslabs/aws-c-io/
https://github.com/aws/aws-iot-device-sdk-java-v2/commit/67950ad2a02f2f9355c310b69dc9226b017f32f2
https://nvd.nist.gov/vuln/detail/CVE-2021-40828
https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-861.yaml
https://github.com/aws/aws-iot-device-sdk-python-v2/commit/fd4c0ba04b35eab9e20c635af5548fcc5a92d8be
https://github.com/advisories/GHSA-94jq-q5v2-76wj
https://github.com/aws/aws-iot-device-sdk-java-v2
https://github.com/aws/aws-iot-device-sdk-js-v2
https://github.com/awslabs/aws-c-io
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.4
Attack Vector
ADJACENT
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.3
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
CVSS v2
Base Score:
5.8
Access Vector
ADJACENT NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
Weakness Type (CWE)
Improper Certificate Validation
CWE-295
EPSS
Base Score:
0.10