GO-2022-0646

See a problem?
Source
https://pkg.go.dev/vuln/GO-2022-0646
Import Source
https://vuln.go.dev/ID/GO-2022-0646.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2022-0646
Aliases
Published
2022-02-11T23:26:26Z
Modified
2024-05-20T16:03:47Z
Summary
Use of risky cryptographic algorithm in github.com/aws/aws-sdk-go
Details

The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.

Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.

References
Credits
    • Sophie Schmieg from the Google ISE team

Affected packages

Go / github.com/aws/aws-sdk-go

Package

Name
github.com/aws/aws-sdk-go
View open source insights on deps.dev
Purl
pkg:golang/github.com/aws/aws-sdk-go

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/aws/aws-sdk-go/service/s3/s3crypto",
            "symbols": [
                "NewDecryptionClient",
                "NewEncryptionClient"
            ]
        }
    ]
}