CVE-2026-3336

{"id": "CVE-2026-3336", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-02T22:16:31.277", "references": [{"url": "https://aws.amazon.com/security/security-bulletins/2026-005-AWS/", "tags": ["Vendor Advisory"], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/aws/aws-lc/releases/tag/v1.69.0", "tags": ["Release Notes"], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/aws/aws-lc/security/advisories/GHSA-cfwj-9wp5-wqvp", "tags": ["Vendor Advisory"], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer.\n\nCustomers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0."}, {"lang": "es", "value": "Validaci\u00f3n incorrecta de certificados en PKCS7_verify() en AWS-LC permite a un usuario no autenticado eludir la verificaci\u00f3n de la cadena de certificados al procesar objetos PKCS7 con m\u00faltiples firmantes, excepto el firmante final.\n\nLos clientes de los servicios de AWS no necesitan tomar ninguna medida. Las aplicaciones que utilizan AWS-LC deber\u00edan actualizarse a la versi\u00f3n 1.69.0 de AWS-LC."}], "lastModified": "2026-03-11T17:16:00.823", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:amazon:aws-lc-sys:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "1657BD7A-BA4B-430A-809F-DE772460B0EA", "versionEndExcluding": "0.38.0", "versionStartIncluding": "0.24.0"}, {"criteria": "cpe:2.3:a:amazon:aws_libcrypto:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B6E82AB-2DB6-4350-B218-772CE7852DCC", "versionEndExcluding": "1.69.0", "versionStartIncluding": "1.41.0"}], "operator": "OR"}]}], "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}