Insecure Certificate Validation

2021-11-2511:38:57

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

certificate validation

aws iot

spoofing dns

EPSS

0.002

Percentile

56.3%

JSON

aws-iot-device-sdk-v2 uses insecure certificate validation. Attackers are able to compromise certificate authorities in their trust stores on macOS, by spoofing DNS records to bypass CA pinning.

References

http:

github.com/aws/aws-iot-device-sdk-cpp-v2

github.com/aws/aws-iot-device-sdk-java-v2

github.com/aws/aws-iot-device-sdk-js-v2

github.com/aws/aws-iot-device-sdk-js-v2/pull/159

github.com/aws/aws-iot-device-sdk-js-v2/pull/159/commits/f53747afc4170b1fa1ac9a14f372b44b5cd41d2d

github.com/aws/aws-iot-device-sdk-python-v2

github.com/awslabs/aws-c-io/

github.com/awslabs/aws-crt-java/commit/e60484086d1b94750568324a51c0da37d7cc818b

github.com/awslabs/aws-crt-python/commit/2c7b49f5defe5d5f34a01c9c446b96b8d1897908

EPSS

0.002

Percentile

56.3%

JSON

Related for VERACODE:33096