Bug 2423393 (CVE-2025-14762)

Summary: CVE-2025-14762 aws-sdk-ruby: AWS SDK for Ruby: Data integrity compromise via missing cryptographic key commitment
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the AWS SDK for Ruby, an open-source client-side encryption library. A user with write access to an S3 (Simple Storage Service) bucket can exploit a missing cryptographic key commitment. This allows the introduction of a new Encrypted Data Key (EDK) that decrypts to different plaintext when stored in an "instruction file" instead of S3's metadata. This vulnerability can lead to data integrity issues, where encrypted data is incorrectly decrypted.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2423591, 2423592    
Bug Blocks:    

Description OSIDB Bzimport 2025-12-17 21:03:08 UTC 
The AWS SDK for Ruby is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3.  


Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record.


To mitigate this issue, upgrade AWS SDK for Ruby to version 1.208.0 or later.