| id: GO-2022-0646 |
| modules: |
| - module: github.com/aws/aws-sdk-go |
| vulnerable_at: 1.33.21 |
| packages: |
| - package: github.com/aws/aws-sdk-go/service/s3/s3crypto |
| symbols: |
| - NewDecryptionClient |
| - NewEncryptionClient |
| summary: Use of risky cryptographic algorithm in github.com/aws/aws-sdk-go |
| description: |- |
| The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker |
| with write access to a bucket to decrypt files in that bucket. |
| |
| Files encrypted by the V1 EncryptionClient using either the AES-CBC content |
| cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the |
| V1 EncryptionClientV2 API, which will not create vulnerable files. Old files |
| will remain vulnerable until re-encrypted with the new client. |
| published: 2022-02-11T23:26:26Z |
| cves: |
| - CVE-2020-8911 |
| - CVE-2020-8912 |
| ghsas: |
| - GHSA-7f33-f4f5-xwgw |
| - GHSA-f5pg-7wfw-84q9 |
| credits: |
| - Sophie Schmieg from the Google ISE team |
| references: |
| - advisory: https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09 |
| - fix: https://github.com/aws/aws-sdk-go/pull/3403 |
| - fix: https://github.com/aws/aws-sdk-go/commit/ae9b9fd92af132cfd8d879809d8611825ba135f4 |
