Vulnerabilities (CVE)

Filtered by vendor Amazon Subscribe
Total 122 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-37436 1 Amazon 2 Echo Dot, Echo Dot Firmware 2024-02-04 1.9 LOW 4.2 MEDIUM
Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing personal content via a factory reset. Also, the vendor has reportedly indicated that they are working on mitigations.
CVE-2021-32020 1 Amazon 1 Freertos 2024-02-04 7.5 HIGH 9.8 CRITICAL
The kernel in Amazon Web Services FreeRTOS before 10.4.3 has insufficient bounds checking during management of heap memory.
CVE-2021-31828 1 Amazon 1 Open Distro 2024-02-04 5.5 MEDIUM 7.1 HIGH
An SSRF issue in Open Distro for Elasticsearch (ODFE) before 1.13.1.0 allows an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Alerting plugin's intended scope.
CVE-2021-31572 1 Amazon 1 Freertos 2024-02-04 7.5 HIGH 9.8 CRITICAL
The kernel in Amazon Web Services FreeRTOS before 10.4.3 has an integer overflow in stream_buffer.c for a stream buffer.
CVE-2020-36363 1 Amazon 1 Amazon Cloudfront 2024-02-04 7.5 HIGH 9.8 CRITICAL
Amazon AWS CloudFront TLSv1.2_2019 allows TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, which some entities consider to be weak ciphers.
CVE-2021-30355 1 Amazon 2 Kindle, Kindle Firmware 2024-02-04 9.3 HIGH 8.6 HIGH
Amazon Kindle e-reader prior to and including version 5.13.4 improperly manages privileges, allowing the framework user to elevate privileges to root.
CVE-2021-31571 1 Amazon 1 Freertos 2024-02-04 7.5 HIGH 9.8 CRITICAL
The kernel in Amazon Web Services FreeRTOS before 10.4.3 has an integer overflow in queue.c for queue creation.
CVE-2021-30354 1 Amazon 2 Kindle, Kindle Firmware 2024-02-04 9.3 HIGH 8.6 HIGH
Amazon Kindle e-reader prior to and including version 5.13.4 contains an Integer Overflow that leads to a Heap-Based Buffer Overflow in function CJBig2Image::expand() and results in a memory corruption that leads to code execution when parsing a crafted PDF book.
CVE-2020-27174 1 Amazon 1 Firecracker 2024-02-04 5.0 MEDIUM 7.5 HIGH
In Amazon AWS Firecracker before 0.21.3, and 0.22.x before 0.22.1, the serial console buffer can grow its memory usage without limit when data is sent to the standard input. This can result in a memory leak on the microVM emulation thread, possibly occupying more memory than intended on the host.
CVE-2020-8897 1 Amazon 1 Aws Encryption Sdk 2024-02-04 5.5 MEDIUM 8.1 HIGH
A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later.
CVE-2020-28472 1 Amazon 2 Aws Sdk For Javascipt, Aws Shared Configuration File Loader 2024-02-04 7.5 HIGH 9.8 CRITICAL
This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.
CVE-2020-16843 1 Amazon 1 Firecracker 2024-02-04 4.3 MEDIUM 5.9 MEDIUM
In Firecracker 0.20.x before 0.20.1 and 0.21.x before 0.21.2, the network stack can freeze under heavy ingress traffic. This can result in a denial of service on the microVM when it is configured with a single network interface, and an availability problem for the microVM network interface on which the issue is triggered.
CVE-2020-8912 1 Amazon 1 Aws S3 Crypto Sdk 2024-02-04 2.1 LOW 2.5 LOW
A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.
CVE-2020-8911 1 Amazon 1 Aws S3 Crypto Sdk 2024-02-04 2.1 LOW 5.6 MEDIUM
A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.
CVE-2020-15093 1 Amazon 1 Tough 2024-02-04 5.0 MEDIUM 8.6 HIGH
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A fix is available in version 0.7.1. CVE-2020-6174 is assigned to the same vulnerability in the TUF reference implementation.
CVE-2019-3986 1 Amazon 2 Blink Xt2 Sync Module, Blink Xt2 Sync Module Firmware 2024-02-04 8.3 HIGH 8.8 HIGH
Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via the encryption parameter.
CVE-2019-18960 1 Amazon 1 Firecracker 2024-02-04 7.5 HIGH 9.8 CRITICAL
Firecracker vsock implementation buffer overflow in versions 0.18.0 and 0.19.0. This can result in potentially exploitable crashes.
CVE-2019-3984 1 Amazon 2 Blink Xt2 Sync Module, Blink Xt2 Sync Module Firmware 2024-02-04 10.0 HIGH 9.8 CRITICAL
Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when the device retrieves updates scripts from the internet.
CVE-2019-11554 1 Amazon 1 Audible 2024-02-04 4.3 MEDIUM 5.9 MEDIUM
The Audible application through 2.34.0 for Android has Missing SSL Certificate Validation for Adobe SDKs, allowing MITM attackers to cause a denial of service.
CVE-2019-10777 1 Amazon 1 Aws Lambda 2024-02-04 7.5 HIGH 9.8 CRITICAL
In aws-lambda versions prior to version 1.0.5, the "config.FunctioName" is used to construct the argument used within the "exec" function without any sanitization. It is possible for a user to inject arbitrary commands to the "zipCmd" used within "config.FunctionName".