EEF-CVE-2026-47074
ex_aws_sns SigningCertURL not validated in verify_message/1
상세
## Summary
Improper Certificate Validation vulnerability in ex-aws ex\_aws\_sns (ExAws.SNS, ExAws.SNS.PublicKeyCache modules) allows Signature Spoofing by Improper Validation.
This vulnerability is associated with program files lib/ex\_aws/sns.ex, lib/ex\_aws/sns/public\_key\_cache.ex and program routines 'Elixir.ExAws.SNS':verify\_message/1, 'Elixir.ExAws.SNS.PublicKeyCache':get/1.
'Elixir.ExAws.SNS':verify\_message/1 fetches the signing certificate from the SigningCertURL field of the incoming SNS message without validating that the URL uses HTTPS or that the host matches an AWS-owned SNS certificate domain. An unauthenticated attacker who can POST to an endpoint that calls verify\_message/1 can supply an attacker-controlled SigningCertURL, sign a forged SNS message with their own key, and cause the function to return :ok, completely bypassing SNS signature verification.
This issue affects ex\_aws\_sns: from 2.0.1 before 2.3.5.
## Configuration
The application must expose an HTTP endpoint that calls 'Elixir.ExAws.SNS':verify\_message/1 on incoming request bodies.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.