CVE-2022-2582

Published: Dec 27, 2022Modified: Apr 11, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it.

Affected (1)

Products: Amazon: Aws Software Development Kit

1 product

Aws Software Development Kit

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Amazon Aws Software Development Kit	Before 1.34.0

Related CWEs

Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

References (4)

https://github.com/aws/aws-sdk-go/commit/35fa6ddf45c061e0f08d3a3b5119f8f4da38f6d1

Source: security@golang.org

PatchThird Party Advisory

https://pkg.go.dev/vuln/GO-2022-0391

Source: security@golang.org

ExploitPatchThird Party Advisory

https://github.com/aws/aws-sdk-go/commit/35fa6ddf45c061e0f08d3a3b5119f8f4da38f6d1

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://pkg.go.dev/vuln/GO-2022-0391

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

Timeline

No history available yet.