Detections
Analytics
Amazon S3 Encryption Client for Java < 4.0.0 Key Commitment (AWS-2025-032)
medium Nessus Plugin ID 282633
Language:
Synopsis
A package installed on the remote host is affected by a cryptographic key commitment vulnerability.Description
The version of Amazon S3 Encryption Client for Java on the remote host is < 4.0.0. It is, therefore, affected by a key commitment vulnerability as referenced in the AWS-2025-032 advisory.Missing cryptographic key commitment in the Amazon S3 Encryption Client for Java may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an instruction file instead of S3's metadata record.
Note that Nessus has not tested for this issues but has instead relied only on the application's self-reported version number.
Solution
Update Amazon S3 Encryption Client for Java to version 4.0.0 or later.See Also
https://aws.amazon.com/security/security-bulletins/AWS-2025-032/
Plugin Details
Severity: Medium
ID: 282633
File Name: s3_encryption_client_java_CVE-2025-14763.nasl
Version: 1.1
Type: local
Agent: windows, macosx, unix
Family: Misc.
Published: 1/13/2026
Updated: 1/13/2026
Configuration: Enable thorough checks (optional)
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.4
CVSS v2
Risk Factor: Medium
Base Score: 4.9
Vector: CVSS2#AV:N/AC:H/Au:S/C:N/I:C/A:N
CVSS Score Source: CVE-2025-14763
CVSS v3
Risk Factor: Medium
Base Score: 5.3
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
Vulnerability Information
CPE: cpe:/a:amazon:s3_encryption_client:java
Required KB Items: installed_sw/Amazon S3 Encryption Client for Java
Exploit Ease: No known exploits are available
Patch Publication Date: 12/17/2025
Vulnerability Publication Date: 12/17/2025
Reference Information
CVE: CVE-2025-14763
IAVA: 2026-A-0003