2423393 – (CVE-2025-14762) CVE-2025-14762 aws-sdk-ruby: AWS SDK for Ruby: Data integrity compromise via missing cryptographic key commitment

Bug 2423393 (CVE-2025-14762) - CVE-2025-14762 aws-sdk-ruby: AWS SDK for Ruby: Data integrity compromise via missing cryptographic key commitment

Summary: CVE-2025-14762 aws-sdk-ruby: AWS SDK for Ruby: Data integrity compromise via ...

Keywords:
Status:	NEW
Alias:	CVE-2025-14762
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2423591 2423592
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-17 21:03 UTC by OSIDB Bzimport
Modified:	2025-12-18 15:04 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-17 21:03:08 UTC

The AWS SDK for Ruby is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3.  


Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record.


To mitigate this issue, upgrade AWS SDK for Ruby to version 1.208.0 or later.

Note You need to log in before you can comment on or make changes to this bug.