GHSA-gvc7-gjrw-hj65: Duplicate Advisory: Improper Verification of Cryptographic Signature in aws-encryption-sdk-java

January 19, 2024 (updated January 22, 2026)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-55xh-53m6-936r. This link is maintained to preserve external references.

Original Description

AWS Encryption SDK for Java versions 2.0.0 to 2.2.0 and less than 1.9.0 incorrectly validates some invalid ECDSA signatures.

References

github.com/advisories/GHSA-55xh-53m6-936r
github.com/advisories/GHSA-gvc7-gjrw-hj65
github.com/aws/aws-encryption-sdk-java
github.com/aws/aws-encryption-sdk-java/security/advisories/GHSA-55xh-53m6-936r
nvd.nist.gov/vuln/detail/CVE-2024-23680
vulncheck.com/advisories/vc-advisory-GHSA-55xh-53m6-936r

Code Behaviors & Features

Detect and mitigate GHSA-gvc7-gjrw-hj65 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →