| { |
| "schema_version": "1.3.1", |
| "id": "GO-2022-0646", |
| "modified": "0001-01-01T00:00:00Z", |
| "published": "2022-02-11T23:26:26Z", |
| "aliases": [ |
| "CVE-2020-8911", |
| "CVE-2020-8912", |
| "GHSA-7f33-f4f5-xwgw", |
| "GHSA-f5pg-7wfw-84q9" |
| ], |
| "summary": "Use of risky cryptographic algorithm in github.com/aws/aws-sdk-go", |
| "details": "The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.\n\nFiles encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.", |
| "affected": [ |
| { |
| "package": { |
| "name": "github.com/aws/aws-sdk-go", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "1.34.0" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/aws/aws-sdk-go/service/s3/s3crypto", |
| "symbols": [ |
| "NewDecryptionClient", |
| "NewEncryptionClient" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "ADVISORY", |
| "url": "https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://github.com/aws/aws-sdk-go/pull/3403" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://github.com/aws/aws-sdk-go/commit/ae9b9fd92af132cfd8d879809d8611825ba135f4" |
| } |
| ], |
| "credits": [ |
| { |
| "name": "Sophie Schmieg from the Google ISE team" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2022-0646", |
| "review_status": "REVIEWED" |
| } |
| } |