Bernard Duggan

**Name of the Vulnerable Software and Affected Versions** ex aws sns versions 2.0.1 through 2.3.4 **Description** Improper Certificate Validation in the `ExAws.SNS` and `ExAws.SNS.PublicKeyCache` modules allows for signature spoofing. The function `verify message()` fetches the signing certificate from the `SigningCertURL` field of an incoming SNS message without verifying that the URL uses HTTPS or that the host belongs to an AWS-owned SNS certificate domain. An unauthenticated attacker can provide a controlled `SigningCertURL` and sign a forged SNS message with their own key, causing the function to return `:ok` and bypassing signature verification. This occurs when the application exposes an HTTP endpoint that calls `verify message()` on incoming request bodies. **Recommendations** Update ex aws sns to version 2.3.5.