CVE-2022-2582

Опубликовано: 27 дек. 2022

Источник: nvd

CVSS3: 4.3

EPSS Низкий

Описание

The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it.

Ссылки

https://github.com/aws/aws-sdk-go/commit/35fa6ddf45c061e0f08d3a3b5119f8f4da38f6d1
Patch
Third Party Advisory
https://pkg.go.dev/vuln/GO-2022-0391
Exploit
Patch
Third Party Advisory
https://github.com/aws/aws-sdk-go/commit/35fa6ddf45c061e0f08d3a3b5119f8f4da38f6d1
Patch
Third Party Advisory
https://pkg.go.dev/vuln/GO-2022-0391
Exploit
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:amazon:aws_software_development_kit:*:*:*:*:*:go:*:*

Версия до 1.34.0 (исключая)

EPSS

Процентиль: 28%

0.00101

Низкий

4.3 Medium

CVSS3

Дефекты

CWE-326

Связанные уязвимости

CVE-2022-2582

CVSS3: 4.3

ubuntu

около 3 лет назад

CVE-2022-2582

CVSS3: 4.3

debian

около 3 лет назад

The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext along ...

GHSA-6jvc-q2x7-pchv

CVSS3: 4.3

github

около 3 лет назад

AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field

EPSS

Процентиль: 28%

0.00101

Низкий

4.3 Medium

CVSS3

Дефекты

CWE-326