Vulnerability Details : CVE-2021-40829
Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS. This issue has been addressed in aws-c-io submodule versions 0.10.5 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.4.2 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on macOS. Amazon Web Services AWS-C-IO 0.10.4 on macOS.
Products affected by CVE-2021-40829
- Amazon » Amazon Web Services Internet Of Things Device Software Development Kit V2 » For PythonVersions before (<) 1.6.1cpe:2.3:a:amazon:amazon_web_services_internet_of_things_device_software_development_kit_v2:*:*:*:*:*:python:*:*
- Amazon » Amazon Web Services Internet Of Things Device Software Development Kit V2 » For Node.jsVersions before (<) 1.5.3cpe:2.3:a:amazon:amazon_web_services_internet_of_things_device_software_development_kit_v2:*:*:*:*:*:node.js:*:*
- Amazon » Amazon Web Services Internet Of Things Device Software Development Kit V2 » For JavaVersions before (<) 1.4.2cpe:2.3:a:amazon:amazon_web_services_internet_of_things_device_software_development_kit_v2:*:*:*:*:*:java:*:*
- Amazon » Amazon Web Services Internet Of Things Device Software Development Kit V2 » For C++Versions before (<) 1.12.7cpe:2.3:a:amazon:amazon_web_services_internet_of_things_device_software_development_kit_v2:*:*:*:*:*:c\+\+:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-40829
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 44 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-40829
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | AV:A/AC:L/Au:N/C:P/I:P/A:P |
6.5
|
6.4
|
NIST | |
6.3
|
MEDIUM | CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H |
0.4
|
5.9
|
F-Secure | |
8.8
|
HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2021-40829
-
The product does not validate, or incorrectly validates, a certificate.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-40829
-
https://github.com/aws/aws-iot-device-sdk-python-v2
GitHub - aws/aws-iot-device-sdk-python-v2: Next generation AWS IoT Client SDK for Python using the AWS Common RuntimeProduct
-
https://github.com/aws/aws-iot-device-sdk-cpp-v2
GitHub - aws/aws-iot-device-sdk-cpp-v2: Next generation AWS IoT Client SDK for C++ using the AWS Common RuntimeProduct
-
https://github.com/awslabs/aws-c-io/
GitHub - awslabs/aws-c-io: This is a module for the AWS SDK for C. It handles all IO and TLS work for application protocols.Product
-
https://github.com/aws/aws-iot-device-sdk-js-v2
GitHub - aws/aws-iot-device-sdk-js-v2: Next generation AWS IoT Client SDK for Node.js using the AWS Common RuntimeProduct
-
https://github.com/aws/aws-iot-device-sdk-java-v2
GitHub - aws/aws-iot-device-sdk-java-v2: Next generation AWS IoT Client SDK for Java using the AWS Common RuntimeProduct
Jump to