Описание
HashiCorp Terraform Amazon Web Services (AWS) uses an insecure PRNG
aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2018-9057
- https://github.com/hashicorp/terraform-provider-aws/pull/3934
- https://github.com/hashicorp/terraform-provider-aws/pull/3989
- https://github.com/terraform-providers/terraform-provider-aws/pull/3934
- https://github.com/hashicorp/terraform-provider-aws/commit/efa8cd45c6484ff70b2a515ea7ff06f2459d4ddf
- https://github.com/hashicorp/terraform-provider-aws/blob/02b039aa82dd7fc6e4a97a0922cc5dbbab724021/resource_aws_iam_user_login_profile.go#L70-L80
Пакеты
Наименование
github.com/hashicorp/terraform-provider-aws
go
Затронутые версииВерсия исправления
< 1.14.0
1.14.0
Связанные уязвимости
CVSS3: 9.8
nvd
почти 8 лет назад
aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password.
