Vulnerability Description
The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Amazon | Aws Software Development Kit | < 1.34.0 |
Related Weaknesses (CWE)
References
- https://github.com/aws/aws-sdk-go/commit/35fa6ddf45c061e0f08d3a3b5119f8f4da38f6dPatchThird Party Advisory
- https://pkg.go.dev/vuln/GO-2022-0391ExploitPatchThird Party Advisory
- https://github.com/aws/aws-sdk-go/commit/35fa6ddf45c061e0f08d3a3b5119f8f4da38f6dPatchThird Party Advisory
- https://pkg.go.dev/vuln/GO-2022-0391ExploitPatchThird Party Advisory
FAQ
What is CVE-2022-2582?
CVE-2022-2582 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attack...
How severe is CVE-2022-2582?
CVE-2022-2582 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-2582?
Check the references section above for vendor advisories and patch information. Affected products include: Amazon Aws Software Development Kit.