GO-2022-0646

Source

https://pkg.go.dev/vuln/GO-2022-0646

Import Source

https://vuln.go.dev/ID/GO-2022-0646.json

Aliases

CVE-2020-8911
CVE-2020-8912
GHSA-7f33-f4f5-xwgw
GHSA-f5pg-7wfw-84q9

Published

2022-02-11T23:26:26Z

Modified

2023-11-08T04:04:19.278366Z

Details

The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.

Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.

References

Affected packages

Go / github.com/aws/aws-sdk-go

Package

Name: github.com/aws/aws-sdk-go

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/aws/aws-sdk-go/service/s3/s3crypto",
            "symbols": [
                "NewDecryptionClient",
                "NewEncryptionClient"
            ]
        }
    ]
}