data/reports/GO-2022-0646.yaml

modules:
  - module: github.com/aws/aws-sdk-go
    vulnerable_at: 1.33.21
    packages:
      - package: github.com/aws/aws-sdk-go/service/s3/s3crypto
        symbols:
          - NewDecryptionClient
          - NewEncryptionClient
description: |-
    The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker
    with write access to a bucket to decrypt files in that bucket.

    Files encrypted by the V1 EncryptionClient using either the AES-CBC
    content cipher or the KMS key wrap algorithm are vulnerable. Users should
    migrate to the V1 EncryptionClientV2 API, which will not create vulnerable
    files. Old files will remain vulnerable until reencrypted with the new
    client.
published: 2022-02-11T23:26:26Z
cves:
  - CVE-2020-8911
  - CVE-2020-8912
ghsas:
  - GHSA-7f33-f4f5-xwgw
  - GHSA-f5pg-7wfw-84q9
credit: Sophie Schmieg from the Google ISE team
references:
  - advisory: https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09
  - fix: https://github.com/aws/aws-sdk-go/pull/3403
  - fix: https://github.com/aws/aws-sdk-go/commit/ae9b9fd92af132cfd8d879809d8611825ba135f4