CVE-2020-8912Use of a Broken or Risky Cryptographic Algorithm in AWS S3 Crypto SDK

CWE-327Use of a Broken or Risky Cryptographic AlgorithmCWE-668Resource Exposure10 documents5 sources
Severity
2.5LOWNVD
GHSA5.6OSV5.6
EPSS
0.1%
top 65.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com AWS Aws-sdk-goAmazon AWS S3 Crypto SDKGoogle LLC AWS S3 Crypto SDK FOR Golang
Timeline
PublishedAug 11
Latest updateDec 12

Description

A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended t

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.0 | Impact: 1.4

Affected Packages3 packages

🔴Vulnerability Details

7
OSV
In-band key negotiation issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go2024-12-12
GHSA
Microsoft: CBC Padding Oracle in Azure Blob Storage Encryption Library2022-07-13
OSV
Microsoft: CBC Padding Oracle in Azure Blob Storage Encryption Library2022-07-13
OSV
CBC padding oracle issue in AWS S3 Crypto SDK for golang2022-02-11
GHSA
CBC padding oracle issue in AWS S3 Crypto SDK for golang2022-02-11

📋Vendor Advisories

1
Red Hat
aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto SDK for golang2020-08-11

💬Community

1
Bugzilla
CVE-2020-8912 aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto SDK for golang2020-08-18