CVE-2023-38325 #8077

tooptoop4 · 2023-08-03T01:48:05Z

Describe the bug

pip3 install https://github.com/aws/aws-cli/archive/refs/tags/2.13.6.tar.gz

Installed Resource
cryptography 40.0.1

Fixed Version
41.0.2

Expected Behavior

high cve gone with new cryptography

Current Behavior

high cve

Reproduction Steps

install latest v2

Possible Solution

No response

Additional Information/Context

No response

CLI version used

2.13.6

Environment details (OS name and version, etc.)

unix

tim-finnigan · 2023-08-03T17:35:39Z

Hi @tooptoop4 thanks for reaching out. I brought this up for discussion with the team, and they wanted me to highlight that the AWS CLI should not be affected by this CVE as it does not use the cryptography package for SSH certificates. There is a dependabot PR (#8030) raising the version ceiling for cryptography and we recommend tracking that for updates going forward. The team is currently blocked on merging that PR pending further review.

github-actions · 2023-08-03T17:35:57Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

tooptoop4 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 3, 2023

tim-finnigan self-assigned this Aug 3, 2023

tim-finnigan closed this as completed Aug 3, 2023

tim-finnigan removed the needs-triage This issue or PR still needs to be triaged. label Aug 3, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2023-38325 #8077

CVE-2023-38325 #8077

tooptoop4 commented Aug 3, 2023

tim-finnigan commented Aug 3, 2023

github-actions bot commented Aug 3, 2023