GO-2022-0646

See a problem?
Please try reporting it to the source first.
Source
https://pkg.go.dev/vuln/GO-2022-0646
Import Source
https://vuln.go.dev/ID/GO-2022-0646.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2022-0646
Aliases
Published
2022-02-11T23:26:26Z
Modified
2024-12-13T16:27:02.251334Z
Summary
CBC padding oracle issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go
Details

A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.

Database specific 
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2022-0646"
}
References
Credits
    • Sophie Schmieg from the Google ISE team

Affected packages

Go / github.com/aws/aws-sdk-go

Package

Name
github.com/aws/aws-sdk-go
View open source insights on deps.dev
Purl
pkg:golang/github.com/aws/aws-sdk-go

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Ecosystem specific 

{
    "imports": [
        {
            "path": "github.com/aws/aws-sdk-go/service/s3/s3crypto",
            "symbols": [
                "NewDecryptionClient",
                "NewEncryptionClient"
            ]
        }
    ]
}