CVE-2022-2582

The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
GoCNA
---
---
CVEADP
---
---
CISA-ADPADP
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 24%
VendorProductVersion
amazonaws_software_development_kit
𝑥
< 1.34.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-github-aws-aws-sdk-go
bullseye
1.36.33-1
fixed
buster
postponed
bookworm
1.44.133-1
fixed
sid
1.49.0-2
fixed
trixie
1.49.0-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-github-aws-aws-sdk-go
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
focal
needs-triage
bionic
needs-triage
xenial
not-affected
trusty
ignored
Common Weakness Enumeration
References
https://github.com/aws/aws-sdk-go/commit/35fa6ddf45c061e0f08d3a3b5119f8f4da38f6d1
https://pkg.go.dev/vuln/GO-2022-0391
https://github.com/aws/aws-sdk-go/commit/35fa6ddf45c061e0f08d3a3b5119f8f4da38f6d1
https://pkg.go.dev/vuln/GO-2022-0391