GHSA-r48h-jr2j-9g78
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r48h-jr2j-9g78
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r48h-jr2j-9g78/GHSA-r48h-jr2j-9g78.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r48h-jr2j-9g78
- Aliases
- Related
- Published
- 2022-05-14T03:29:43Z
- Modified
- 2024-02-21T23:41:46.890981Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- HashiCorp Terraform Amazon Web Services (AWS) uses an insecure PRNG
- Details
-
aws/resourceawsiamuserlogin_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password.
- Database specific
{ "nvd_published_at": "2018-03-27T18:29:00Z", "cwe_ids": [ "CWE-332" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-02-21T23:19:35Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2018-9057
- https://github.com/hashicorp/terraform-provider-aws/pull/3934
- https://github.com/hashicorp/terraform-provider-aws/pull/3989
- https://github.com/terraform-providers/terraform-provider-aws/pull/3934
- https://github.com/hashicorp/terraform-provider-aws/commit/efa8cd45c6484ff70b2a515ea7ff06f2459d4ddf
- https://github.com/hashicorp/terraform-provider-aws
- https://github.com/hashicorp/terraform-provider-aws/blob/02b039aa82dd7fc6e4a97a0922cc5dbbab724021/resource_aws_iam_user_login_profile.go#L70-L80
Affected packages
Go / github.com/hashicorp/terraform-provider-aws
Package
- Name
- github.com/hashicorp/terraform-provider-aws
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/hashicorp/terraform-provider-aws