GMS-2020-6: CLI does not correctly implement strict mode

October 28, 2020 (updated September 27, 2021)

In the affected versions, the AWS Encryption CLI operated in “discovery mode” even when “strict mode” was specified. Although decryption only succeeded if the user had permission to decrypt with at least one of the CMKs, decryption could be successful using a CMK that was not included in the user-defined set when the CLI was operating in “strict mode.”

Affected users should upgrade to Encryption CLI v1.8.x or v2.1.x as soon as possible.

References

github.com/advisories/GHSA-2xwp-m7mq-7q3r
github.com/aws/aws-encryption-sdk-cli/commit/7d21b8051cab9e52e056fe427d2bff19cf146460
github.com/aws/aws-encryption-sdk-cli/security/advisories/GHSA-2xwp-m7mq-7q3r

Code Behaviors & Features

Detect and mitigate GMS-2020-6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →