Latest Amazon Vulnerabilities

CVE-2024-23680
AWS Encryption SDK for Java Improper Verification of Cryptographic Signature
maven/com.amazonaws:aws-encryption-sdk-java>=2.0.0<2.2.0
maven/com.amazonaws:aws-encryption-sdk-java<1.9.0
Amazon Aws Encryption Sdk<1.9.0
Amazon Aws Encryption Sdk>=2.0.0<2.2.0
CVE-2024-21634
Ion Java StackOverflow vulnerability
Amazon Ion<1.10.5
maven/com.amazon.ion:ion-java<1.10.5
maven/software.amazon.ion:ion-java<1.10.5
CVE-2023-51386
Sandbox Accounts for Events vulnerable to privilege escalation to read running events data
<1.1.0
CVE-2023-50928
sandbox-accounts-for-events security misconfiguration leads to budget exceed
Amazon Awslabs Sandbox Accounts For Events<1.1.0
CVE-2023-51651
Potential URI resolution path traversal in the AWS SDK for PHP
composer/aws/aws-sdk-php<3.288.1
Amazon Aws Software Development Kit<3.288.1
<3.288.1
CVE-2021-27504
Texas Instruments FREERTOS Integer Overflow or Wraparound
Amazon Freertos=10.4.1
Ti Simplelink Cc13xx Software Development Kit<4.40.00
Ti Simplelink Cc26xx Software Development Kit<4.40.00
Ti Simplelink Cc32xx Software Development Kit<4.10.03
Ti Simplelink Msp432e401y
Ti Simplelink Msp432e411y
and 29 more
CVE-2023-45807
### Impact There is an issue with the implementation of tenant permissions in OpenSearch Dashboards where authenticated users with read-only access to a tenant can perform create, edit and delete oper...
Amazon Opensearch<1.3.14.0
Amazon Opensearch<1.3.14.0
Amazon Opensearch>=2.0.0<2.11.0.0
Amazon Opensearch>=2.0.0<2.11.0.0
CVE-2023-44487
- Rapid Reset HTTP/2 vulnerability
Microsoft Windows 11=21H2
Microsoft Windows 11=21H2
Microsoft Windows Server 2022
Microsoft Windows Server 2022
Microsoft Windows 11=22H2
Microsoft Windows 11=22H2
and 556 more
CVE-2023-36467
AWS data.all is an open source development framework to help users build a data marketplace on Amazon Web Services. data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a us...
Amazon Aws-dataall>=1.2.0<=1.5.1
CVE-2023-35165
AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. In the packages `aws-cdk-lib` 2...
Amazon Aws Cloud Development Kit>=1.57.0<1.202.0
Amazon Aws Cloud Development Kit>=2.0.0<2.80.0
CVE-2023-33248
Amazon Alexa software version 8960323972 on Echo Dot 2nd generation and 3rd generation devices potentially allows attackers to deliver security-relevant commands via an audio signal between 16 and 22 ...
Amazon Alexa=8960323972
Amazon Echo Dot
Amazon Echo Dot
CVE-2023-31141
OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access con...
Amazon Opensearch<1.3.10
Amazon Opensearch>=2.0.0<2.7.0
Amazon Opensearch Security<1.3.10
Amazon Opensearch Security>=2.0.0<2.7.0
maven/org.opensearch.plugin:opensearch-security>=2.0.0<2.7.0.0
maven/org.opensearch.plugin:opensearch-security>=1.0.0<1.3.10.0
CVE-2023-1384
The setMediaSource function on the amzn.thin.pl service does not sanitize the "source" parameter allowing for arbitrary javascript code to be run This issue affects: Amazon Fire TV Stick 3rd gen ver...
Amazon Fire OS<6.2.9.5
Amazon Fire TV Stick 3rd gen
Amazon Fire OS<7.6.3.3
Bestbuy Insignia Tv
CVE-2023-1385
Improper JPAKE implementation allows offline PIN brute-forcing due to the initialization of random values to a known value, which leads to unauthorized authentication to amzn.lightning services. This...
Amazon Fire OS<6.2.9.5
Amazon Fire TV Stick 3rd gen
Amazon Fire OS<7.6.3.3
Bestbuy Insignia Tv
CVE-2023-1383
An Improper Enforcement of Behavioral Workflow vulnerability in the exchangeDeviceServices function on the amzn.dmgr service allowed an attacker to register services that are only locally accessible. ...
Amazon Fire OS<6.2.9.5
Amazon Fire TV Stick 3rd gen
Amazon Fire OS<7.6.3.3
Bestbuy Insignia Tv
CVE-2023-30610
aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The `aws_sigv4::SigningParams` struct had a derived `Debug` implementation. When debug-formatted, it would include ...
Amazon Aws-sigv4=0.2.0
Amazon Aws-sigv4=0.3.0
Amazon Aws-sigv4=0.4.1
Amazon Aws-sigv4=0.5.2
Amazon Aws-sigv4=0.6.0
Amazon Aws-sigv4=0.7.0
and 18 more
CVE-2023-24513
On affected platforms running Arista CloudEOS an issue in the Software Forwarding Engine (Sfe) can lead to a potential denial of service attack by sending malformed packets to the switch. This causes ...
Arista CloudEOS>=4.26.0<4.26.9m
Arista CloudEOS>=4.27.0<4.27.8m
Arista CloudEOS>=4.28.0<4.28.5m
Arista CloudEOS>=4.29.0<4.29.2f
Amazon Aws Marketplace
Equinix Network Edge
and 3 more
CVE-2023-25806
OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the ...
Amazon Opensearch<1.3.9
Amazon Opensearch>=2.0.0<2.6.0
Amazon Opensearch Security<1.3.9
Amazon Opensearch Security>=2.0.0<2.6.0
CVE-2023-23933
Amazon Opensearch>=1.0.0<1.3.8
Amazon Opensearch>=2.0.0<2.6.0
CVE-2022-46174
efs-utils is a set of Utilities for Amazon Elastic File System (EFS). A potential race condition issue exists within the Amazon EFS mount helper in efs-utils versions v1.34.3 and below. When using TLS...
Amazon Efs-utils<1.34.4
Amazon Elastic File System Container Storage Interface Driver<1.4.8
CVE-2022-4725
A vulnerability was found in AWS SDK 2.59.0. It has been rated as critical. This issue affects the function XpathUtils of the file aws-android-sdk-core/src/main/java/com/amazonaws/util/XpathUtils.java...
Amazon Aws Software Development Kit<2.59.1
<2.59.1
CVE-2022-41917
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. OpenSearch allows users to specify a local file when defining text analyzers to process data for text analysis. An issue...
Amazon Opensearch>=1.0.0<1.3.7
Amazon Opensearch>=2.0.0<2.4.0
CVE-2022-41918
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level sec...
Amazon Opensearch<1.3.7
Amazon Opensearch>=2.0.0<2.4.0
CVE-2022-41906
OpenSearch Notifications is a notifications plugin for OpenSearch that enables other plugins to send notifications via Email, Slack, Amazon Chime, Custom web-hook etc channels. A potential SSRF issue ...
Amazon Opensearch Notifications<2.2.1.0
CVE-2022-41828
In Amazon AWS Redshift JDBC Driver (aka amazon-redshift-jdbc-driver or redshift-jdbc42) before 2.1.0.8, the Object Factory does not check the class type when instantiating an object from a class name.
Amazon Amazon Web Services Redshift Java Database Connectivity Driver<2.1.0.8
CVE-2022-39230
fhir-works-on-aws-authz-smart is an implementation of the authorization interface from the FHIR Works interface. Versions 3.1.1 and 3.1.2 are subject to Exposure of Sensitive Information to an Unautho...
Amazon Fhir-works-on-aws-authz-smart>=3.1.0<3.1.3
CVE-2022-35980
OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Versions 2.0.0.0 and 2.1.0.0 of the security plugin are affected by an information disclosure v...
Amazon Opensearch=2.0.0
Amazon Opensearch=2.1.0
CVE-2022-34266
The libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2 allows attackers to cause a denial of service (application crash), a different vulnerability than CVE-2022-0562. When processing a ...
Libtiff Libtiff=4.0.3-35
Amazon Linux 2
CVE-2022-31159
The AWS SDK for Java enables Java developers to work with Amazon Web Services. A partial-path traversal issue exists within the `downloadDirectory` method in the AWS S3 TransferManager component of th...
IBM Disconnected Log Collector<=1.12.260
IBM Disconnected Log Collector<=v1.0 - v1.8.2
CVE-2022-31115
opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. In versions prior to 2.0.1 the ruby `YAML.load` function was used instead of `YAML.safe_load`. As a result opensearch-rub...
Amazon Opensearch<2.0.2
CVE-2022-29527
Amazon AWS amazon-ssm-agent before 3.1.1208.0 creates a world-writable sudoers file, which allows local attackers to inject Sudo rules and escalate privileges to root. This occurs in certain situation...
Amazon Amazon Ssm Agent<3.1.1208.0
CVE-2021-3100
The Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.1-13 didn’t mimic the permissions of the JVM being patched, allowing it to escalate privileges.
Amazon Log4jhotpatch<1.1-13
Linux Linux kernel
CVE-2022-25165
An issue was discovered in Amazon AWS VPN Client 2.0.0. A TOCTOU race condition exists during the validation of VPN configuration files. This allows parameters outside of the AWS VPN Client allow list...
Amazon Aws Client Vpn=2.0.0
CVE-2022-25166
An issue was discovered in Amazon AWS VPN Client 2.0.0. It is possible to include a UNC path in the OpenVPN configuration file when referencing file paths for parameters (such as auth-user-pass). When...
Amazon Aws Client Vpn=2.0.0
CVE-2022-24709
@awsui/components-react is the main AWS UI package which contains React components, with TypeScript definitions designed for user interface development. Multiple components in versions before 3.0.367 ...
Amazon Awsui\/components-react<3.0.367
CVE-2022-25809
Improper Neutralization of audio output from 3rd and 4th Generation Amazon Echo Dot devices allows arbitrary voice command execution on these devices via a malicious skill (in the case of remote attac...
Amazon Echo Dot Firmware
Amazon Echo Dot=3.0
Amazon Echo Dot=4.0
CVE-2021-44833
The CLI 1.0.0 for Amazon AWS OpenSearch has weak permissions for the configuration file.
Amazon AWS OpenSearch=1.0.0
CVE-2021-43811
Sockeye is an open-source sequence-to-sequence framework for Neural Machine Translation built on PyTorch. Sockeye uses YAML to store model and data configurations on disk. Versions below 2.3.24 use un...
Amazon Sockeye<2.3.24
CVE-2021-43637
Amazon WorkSpaces agent is affected by Buffer Overflow. IOCTL Handler 0x22001B in the Amazon WorkSpaces agent below v1.0.1.1537 allow local attackers to execute arbitrary code in kernel mode or cause ...
Amazon WorkSpaces<1.0.1.1537
CVE-2021-43638
Amazon Amazon WorkSpaces agent is affected by Integer Overflow. IOCTL Handler 0x22001B in the Amazon WorkSpaces agent below v1.0.1.1537 allow local attackers to execute arbitrary code in kernel mode o...
Amazon WorkSpaces<1.0.1.1537
CVE-2021-40829
Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not ...
Amazon Amazon Web Services Internet Of Things Device Software Development Kit V2<1.4.2
Amazon Amazon Web Services Internet Of Things Device Software Development Kit V2<1.5.3
Amazon Amazon Web Services Internet Of Things Device Software Development Kit V2<1.6.1
Amazon Amazon Web Services Internet Of Things Device Software Development Kit V2<1.12.7
Apple macOS
CVE-2021-40830
The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succee...
Amazon Amazon Web Services Aws-c-io=0.10.4
Amazon Amazon Web Services Internet Of Things Device Software Development Kit V2<1.5.0
Amazon Amazon Web Services Internet Of Things Device Software Development Kit V2<1.5.3
Amazon Amazon Web Services Internet Of Things Device Software Development Kit V2<1.6.1
Amazon Amazon Web Services Internet Of Things Device Software Development Kit V2<1.12.7
Linux Linux kernel
and 1 more
CVE-2021-40828
Amazon Amazon Web Services Aws-c-io<0.9.13
Amazon Amazon Web Services Internet Of Things Device Software Development Kit V2<1.3.3
Amazon Amazon Web Services Internet Of Things Device Software Development Kit V2<1.5.1
Amazon Amazon Web Services Internet Of Things Device Software Development Kit V2<1.5.18
Amazon Amazon Web Services Internet Of Things Device Software Development Kit V2<1.12.7
Microsoft Windows
CVE-2021-40831
The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Additionally, SNI validation i...
Amazon Amazon Web Services Aws-c-io=0.10.7
Amazon Amazon Web Services Internet Of Things Device Software Development Kit V2<1.5.0
Amazon Amazon Web Services Internet Of Things Device Software Development Kit V2<1.6.0
Amazon Amazon Web Services Internet Of Things Device Software Development Kit V2<1.7.0
Amazon Amazon Web Services Internet Of Things Device Software Development Kit V2<1.14.0
Apple macOS
CVE-2021-43997
FreeRTOS versions 10.2.0 through 10.4.5 do not prevent non-kernel code from calling the xPortRaisePrivilege internal function to raise privilege. FreeRTOS versions through 10.4.6 do not prevent a thir...
Amazon Freertos>=10.2.0<10.4.6
Amazon Freertos=10.4.3-patch1
CVE-2021-41150
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names w...
Amazon Tough<0.12.0
CVE-2021-41149
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize target names when cach...
Amazon Tough<0.12.0
CVE-2021-38112
In the Amazon AWS WorkSpaces client 3.0.10 through 3.1.8 on Windows, argument injection in the workspaces:// URI handler can lead to remote code execution because of the Chromium Embedded Framework (C...
Amazon Aws Workspaces>=3.0.10<3.1.9
CVE-2021-30355
Amazon Kindle e-reader prior to and including version 5.13.4 improperly manages privileges, allowing the framework user to elevate privileges to root.
Amazon Kindle Firmware<=5.13.4
Amazon Kindle
CVE-2021-30354
Amazon Kindle e-reader prior to and including version 5.13.4 contains an Integer Overflow that leads to a Heap-Based Buffer Overflow in function CJBig2Image::expand() and results in a memory corruptio...
Amazon Kindle Firmware<=5.13.4
Amazon Kindle

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203