Home

CVE-2021-40829

Description

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS. This issue has been addressed in aws-c-io submodule versions 0.10.5 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.4.2 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on macOS. Amazon Web Services AWS-C-IO 0.10.4 on macOS.

Risk Information

Base Score
8.8
MODERATE
Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.102

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2021-40829 are fixed in Amazon-aws-iot-device-sdk 1.4.2Windows
Vulnerabilities CVE-2021-40829,CVE-2021-40830 are fixed in Python-awsiotsdk 1.6.1Windows
Vulnerabilities CVE-2021-40829 are fixed in Amazon-aws-iot-device-sdk for Linux 1.4.2Linux
Vulnerabilities CVE-2021-40829,CVE-2021-40830 are fixed in Python-awsiotsdk for linux 1.6.1Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234