PT-2025-51880 · Amazon · Amazon S3 Encryption Client For .Net
Normj
·
Published
2025-12-17
·
Updated
2025-12-22
·
CVE-2025-14759
CVSS v4.0
6.0
Medium
| Vector | AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Amazon S3 Encryption Client for .NET versions prior to 3.2.0
Description
A flaw exists in the Amazon S3 Encryption Client for .NET where a missing cryptographic key commitment could allow a user with write access to an S3 bucket to introduce a new encryption data key (EDK) that decrypts to different plaintext. This is possible when the encrypted data key is stored in an instruction file instead of S3’s metadata record.
Recommendations
Upgrade Amazon S3 Encryption Client for .NET to version 3.2.0 or later.
Fix
Use of a Broken Cryptographic Algorithm
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Amazon S3 Encryption Client For .Net