CVE-2021-40830

🗓️ 22 Nov 2021 23:41:18Reported by F-SecureUSType

AWS IoT Device SDK v2 for Java, Python, C++, and Node.js allows CA pinning bypass due to improper trust store handlin

Reporter	Title	Published	Views	Family All 13
Circl	CVE-2021-40830	23 Nov 202102:20	–	circl
CNNVD	Amazon AWS IoT Device SDK 信任管理问题漏洞	23 Nov 202100:00	–	cnnvd
Cvelist	CVE-2021-40830 Inconsistent CA override function behavior within AWS IoT Device SDKs on Unix systems	22 Nov 202123:41	–	cvelist
EUVD	EUVD-2021-0030	7 Oct 202500:30	–	euvd
Github Security Blog	Improper certificate management in AWS IoT Device SDK v2	24 Nov 202121:12	–	github
GitLab Advisory Database	Improper Certificate Validation	23 Nov 202100:00	–	gitlab
NVD	CVE-2021-40830	23 Nov 202100:15	–	nvd
OSV	GHSA-C4RH-4376-GFF4 Improper certificate management in AWS IoT Device SDK v2	24 Nov 202121:12	–	osv
OSV	PYSEC-2021-863	23 Nov 202100:15	–	osv
Prion	Design/Logic Flaw	23 Nov 202100:15	–	prion

NVD

Node

amazon amazon_web_services_aws-c-ioMatch0.10.4

amazon amazon_web_services_internet_of_things_device_software_development_kit_v2Range<1.5.0java

amazon amazon_web_services_internet_of_things_device_software_development_kit_v2Range<1.5.3node.js

amazon amazon_web_services_internet_of_things_device_software_development_kit_v2Range<1.6.1python

amazon amazon_web_services_internet_of_things_device_software_development_kit_v2Range<1.12.7c++

AND

linux linux_kernelMatch-

opengroup unixMatch-

[
  {
    "platforms": [
      "Linux/Unix"
    ],
    "product": "AWS IoT Device SDK v2 for Java",
    "vendor": "Amazon Web Services",
    "versions": [
      {
        "lessThan": "1.5.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "platforms": [
      "Linux/Unix"
    ],
    "product": "AWS IoT Device SDK v2 for Python",
    "vendor": "Amazon Web Services",
    "versions": [
      {
        "lessThan": "1.6.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "platforms": [
      "Linux/Unix"
    ],
    "product": "AWS IoT Device SDK v2 for C++",
    "vendor": "Amazon Web Services",
    "versions": [
      {
        "lessThan": "1.12.7",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "platforms": [
      "Linux/Unix"
    ],
    "product": "AWS IoT Device SDK v2 for Node.js",
    "vendor": "Amazon Web Services",
    "versions": [
      {
        "lessThan": "1.5.3",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "platforms": [
      "Linux/Unix"
    ],
    "product": "AWS-C-IO",
    "vendor": "Amazon Web Services",
    "versions": [
      {
        "status": "affected",
        "version": "0.10.4"
      }
    ]
  }
]

Source	Link
github	www.github.com/aws/aws-iot-device-sdk-js-v2
github	www.github.com/awslabs/aws-c-io/
github	www.github.com/aws/aws-iot-device-sdk-java-v2
github	www.github.com/aws/aws-iot-device-sdk-python-v2
github	www.github.com/aws/aws-iot-device-sdk-cpp-v2

21 Nov 2024 06:24Current

7.2High risk

Vulners AI Score7.2

CVSS 25.8

CVSS 3.16.3 - 8.8

EPSS0.00103

CWE-295