CVE-2022-2582 — Inadequate Encryption Strength in AWS Aws-sdk-go Github.com AWS Aws-sdk-go Service S3 S3crypto

CWE-326 — Inadequate Encryption Strength7 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 77.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com AWS Aws-sdk-go Github.com AWS Aws-sdk-go Service S3 S3crypto Github.com AWS Aws-sdk-go Amazon AWS Software Development KIT +1 more

Timeline

PublishedDec 27

Latest updateDec 28

Description

The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶CVEListV5github.com/aws_aws-sdk-go_github.com_aws_aws-sdk-go_service_s3_s3crypto< 1.34.0

▶Gogithub.com/aws_aws-sdk-go< 1.34.0

▶NVDamazon/aws_software_development_kit< 1.34.0

▶debiandebian/golang-github-aws-aws-sdk-go< golang-github-aws-aws-sdk-go 1.34.22-1 (bookworm)

Patches

Patch: github.com ↗Patch: pkg.go.dev ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field↗2022-12-28

▶

GHSA

AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field↗2022-12-28

▶

OSV

CVE-2022-2582: The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field↗2022-12-27

▶

OSV

Exposure of unencrypted plaintext hash in github.com/aws/aws-sdk-go↗2022-07-01

▶

OSV

Duplicate Advisory: Unencrypted md5 plaintext hash in metadata in AWS S3 Crypto SDK for golang↗2022-02-11

▶

📋Vendor Advisories

Debian

CVE-2022-2582: golang-github-aws-aws-sdk-go - The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the c...↗2022

▶