Executive Summary

This vulnerability involves the Amazon S3 Encryption Client for .NET, where a missing cryptographic key commitment allows a user with write access to an S3 bucket to introduce a new encrypted data key (EDK) that decrypts to different plaintext. This occurs when the encrypted data key is stored in an "instruction file" instead of S3's metadata record, potentially leading to incorrect decryption of data.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can impact you by allowing a user with write access to the S3 bucket to manipulate encrypted data keys, causing data to decrypt incorrectly to different plaintext. This can lead to data integrity issues and potentially unauthorized data manipulation or confusion about the actual data content.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade the Amazon S3 Encryption Client for .NET to version 4.0.0 or later.

Useful 0 Not Useful 0