Vulnerability Report: GO-2022-0391
- CVE-2022-2582, GHSA-6jvc-q2x7-pchv, and 1 more
- Affects: github.com/aws/aws-sdk-go
- Published: Jul 01, 2022
- Modified: May 20, 2024
The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it.
Affected Packages
-
PathGo VersionsSymbols
-
before v1.34.0
Aliases
References
- https://github.com/aws/aws-sdk-go/commit/35fa6ddf45c061e0f08d3a3b5119f8f4da38f6d1
- https://vuln.go.dev/ID/GO-2022-0391.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.