CVE-2021-40831

🗓️ 22 Nov 2021 23:41:19Reported by F-SecureUSType

AWS IoT Device SDK v2 for Java, Python, C++, and Node.js allows bypassing of CA pinning on macO

Reporter	Title	Published	Views	Family All 13
Circl	CVE-2021-40831	23 Nov 202102:20	–	circl
CNNVD	Amazon AWS IoT Device SDK 信任管理问题漏洞	22 Nov 202100:00	–	cnnvd
Cvelist	CVE-2021-40831 Missing SNI validation and inconsistent CA override function behavior within AWS IoT Device SDKs on Apple devices	22 Nov 202123:41	–	cvelist
EUVD	EUVD-2021-0031	7 Oct 202500:30	–	euvd
Github Security Blog	Improper certificate management in AWS IoT Device SDK v2	24 Nov 202120:35	–	github
GitLab Advisory Database	Improper Certificate Validation	23 Nov 202100:00	–	gitlab
NVD	CVE-2021-40831	23 Nov 202100:15	–	nvd
OSV	GHSA-J3F7-7RMC-6WQJ Improper certificate management in AWS IoT Device SDK v2	24 Nov 202120:35	–	osv
OSV	PYSEC-2021-864	23 Nov 202100:15	–	osv
Prion	Design/Logic Flaw	23 Nov 202100:15	–	prion

NVD

Node

amazon amazon_web_services_aws-c-ioMatch0.10.7

amazon amazon_web_services_internet_of_things_device_software_development_kit_v2Range<1.5.0java

amazon amazon_web_services_internet_of_things_device_software_development_kit_v2Range<1.6.0node.js

amazon amazon_web_services_internet_of_things_device_software_development_kit_v2Range<1.7.0python

amazon amazon_web_services_internet_of_things_device_software_development_kit_v2Range<1.14.0c++

AND

apple macosMatch-

[
  {
    "platforms": [
      "macOS"
    ],
    "product": "AWS IoT Device SDK v2 for Java",
    "vendor": "Amazon Web Services",
    "versions": [
      {
        "lessThan": "1.5.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "platforms": [
      "macOS"
    ],
    "product": "AWS IoT Device SDK v2 for Python",
    "vendor": "Amazon Web Services",
    "versions": [
      {
        "lessThan": "1.7.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "platforms": [
      "macOS"
    ],
    "product": "AWS IoT Device SDK v2 for C++",
    "vendor": "Amazon Web Services",
    "versions": [
      {
        "lessThan": "1.14.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "platforms": [
      "macOS"
    ],
    "product": "AWS IoT Device SDK v2 for Node.js",
    "vendor": "Amazon Web Services",
    "versions": [
      {
        "lessThan": "1.6.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "platforms": [
      "macOS"
    ],
    "product": "AWS-C-IO",
    "vendor": "Amazon Web Services",
    "versions": [
      {
        "status": "affected",
        "version": "0.10.7"
      }
    ]
  }
]

Source	Link
github	www.github.com/aws/aws-iot-device-sdk-js-v2
github	www.github.com/awslabs/aws-c-io/
github	www.github.com/aws/aws-iot-device-sdk-java-v2
github	www.github.com/aws/aws-iot-device-sdk-python-v2
github	www.github.com/aws/aws-iot-device-sdk-cpp-v2

21 Nov 2024 06:24Current

6.3Medium risk

Vulners AI Score6.3

CVSS 26

CVSS 3.16.3 - 7.2

EPSS0.00278

CWE-295