CVE-2018-9057Insufficient Entropy in PRNG in Hashicorp Terraform-provider-aws

CWE-332Insufficient Entropy in PRNGCWE-337Predictable Seed in Pseudo-Random Number Generator5 documents5 sources
Severity
9.8CRITICALNVD
EPSS
0.5%
top 35.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Github.com Hashicorp Terraform-provider-awsHashicorp TerraformMsrc Cbl2 Terraform 1.2.2-2 ON CBL Mariner 2.0+2 more
Timeline
PublishedMar 27
Latest updateMay 14

Description

aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
HashiCorp Terraform Amazon Web Services (AWS) uses an insecure PRNG2022-05-14
GHSA
HashiCorp Terraform Amazon Web Services (AWS) uses an insecure PRNG2022-05-14

📋Vendor Advisories

1
Microsoft
aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding which makes it easier for remot2018-03-13

📐Framework References

1
CWE
Predictable Seed in Pseudo-Random Number Generator (PRNG)