PT-2025-51883 · Amazon Web Services · Aws Sdk For Ruby
Normj
·
Publicado
2025-12-17
·
Atualizado
2025-12-23
·
CVE-2025-14762
CVSS v4.0
6.0
Média
| Vetor | AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
AWS SDK for Ruby versions prior to 1.208.0
Description
A missing cryptographic key commitment in the AWS SDK for Ruby could allow a user with write access to an S3 bucket to introduce a new encryption data key (EDK) that decrypts to different plaintext. This is possible when the encrypted data key is stored in an instruction file instead of S3’s metadata record.
Recommendations
Upgrade AWS SDK for Ruby to version 1.208.0 or later.
Exploit
Correção
Use of a Broken Cryptographic Algorithm
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Aws Sdk For Ruby