AWS SDK for Ruby's S3 Encryption Client has a Key Commitment Issue

Summary S3 Encryption Client for Ruby is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3. When the encrypted data key EDK is stored in an "Instruction File" instead of S3's metadata record, the EDK is exposed to an "Invisible Salamander...

CVE-2025-14762

Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue,...

CVE-2025-14762

Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue,...

CVE-2025-14762

Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue,...

UBUNTU-CVE-2025-14762

Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue,...

CVE-2025-14762

Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue,...

CVE-2025-14762

CVE-2025-14762 describes a missing cryptographic key commitment in the AWS SDK for Ruby that can allow a user with write access to an S3 bucket to introduce a new EDK and decrypt data to different plaintext when the encrypted data key is stored in an instruction file rather than in S3 metadata. T...

AWS SDK for Ruby 安全漏洞

AWS SDK for Ruby is an open source developer toolkit for Ruby from Amazon Web Services. A security vulnerability exists in AWS SDK for Ruby that stems from a lack of cryptographic key promises, which could cause a user with write access to an S3 storage bucket to introduce a new EDK that decrypts...

PT-2025-51883

Name of the Vulnerable Software and Affected Versions AWS SDK for Ruby versions prior to 1.208.0 Description A missing cryptographic key commitment in the AWS SDK for Ruby could allow a user with write access to an S3 bucket to introduce a new encryption data key EDK that decrypts to different...

Debian: Security Advisory (DLA-4406-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

RHEL 9 : pcs (RHSA-2025:19512)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:19512 advisory. The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Security Fixes: rubygem-rack: Rack...

Debian: Security Advisory (DLA-4407-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

DLA-4407-1 ruby-sidekiq - security update

Bulletin has no description...

DLA-4406-1 ruby-git - security update

Bulletin has no description...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: ruby (UTSA-2025-991241)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-991241 advisory. Unity Link Advisory UTSA-2025-991241 Tenable has extracted the preceding description block directly from the Unity Linux security advisory. Note that Nessus has not...

[SECURITY] [DLA 4407-1] ruby-sidekiq security update

----------------------------------------------------------------------- Debian LTS Advisory DLA-4407-1 [email protected] https://www.debian.org/lts/security/ Utkarsh Gupta December 15, 2025 https://wiki.debian.org/LTS -...

[SECURITY] [DLA 4406-1] ruby-git security update

----------------------------------------------------------------------- Debian LTS Advisory DLA-4406-1 [email protected] https://www.debian.org/lts/security/ Utkarsh Gupta December 15, 2025 https://wiki.debian.org/LTS -...

Debian dla-4406 : ruby-git - security update

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-4406 advisory. - ----------------------------------------------------------------------- Debian LTS Advisory DLA-4406-1 [email protected]...

Authentication Bypass

ruby-saml is vulnerable to authentication bypass. The vulnerability is due to improper handling of libxml2 canonicalization in Nokogiri when processing invalid XML, which returns an empty string used for DigestValue calculation, allowing an attacker to perform a Signature Wrapping attack and bypa...

Authentication Bypass

ruby-saml is vulnerable to authentication bypass. The vulnerability is due to inconsistent XML parsing between REXML and Nokogiri resulting in different document structures, which allows an attacker to perform a Signature Wrapping attack and bypass authentication...