CVE-2020-8911Use of a Broken or Risky Cryptographic Algorithm in AWS S3 Crypto SDK

CWE-327Use of a Broken or Risky Cryptographic AlgorithmCWE-668Resource Exposure8 documents5 sources
Severity
5.6MEDIUMNVD
GHSA2.5OSV2.5
EPSS
0.2%
top 57.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com AWS Aws-sdk-goAmazon AWS S3 Crypto SDKGoogle LLC AWS S3 Crypto SDK FOR Golang
Timeline
PublishedAug 11
Latest updateJul 13

Description

A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to man

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 1.1 | Impact: 4.0

Affected Packages3 packages

🔴Vulnerability Details

5
GHSA
Microsoft: CBC Padding Oracle in Azure Blob Storage Encryption Library2022-07-13
OSV
Microsoft: CBC Padding Oracle in Azure Blob Storage Encryption Library2022-07-13
OSV
CBC padding oracle issue in AWS S3 Crypto SDK for golang2022-02-11
GHSA
CBC padding oracle issue in AWS S3 Crypto SDK for golang2022-02-11
OSV
CBC padding oracle issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go2022-02-11

📋Vendor Advisories

1
Red Hat
aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto SDK for golang2020-08-11

💬Community

1
Bugzilla
CVE-2020-8911 aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto SDK for golang2020-08-18