Name of the Vulnerable Software and Affected Versions Strongbox versions prior to 0.5.0

Description The issue allows an attacker with read-only access to a Strongbox secret to craft a valid encrypted secret, which also affects the usefulness of audit logs from KMS. This is caused by a bug in the AWS Encryption SDK. The impact is limited for most users since encrypted secrets are stored in DynamoDB by default, and an attacker with read-only access cannot write the encrypted secret to DynamoDB. However, if an attacker has write access to the file storage or a custom storage backend, they could potentially exploit this issue. The attacker would need write access to both KMS and DynamoDB (or other storage backend) to stage an attack.

Recommendations For versions prior to 0.5.0, update to version 0.5.0 to resolve the issue. As a temporary workaround, consider restricting write access to the storage backend and KMS to minimize the risk of exploitation.