VDB
CVE-2022-2582
CVE-2022-2582
PUBLISHED
CVSS 9.300000190734863 CRITICAL
The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it.
EPSS 0.07% · 22.5th percentile
Risk Scores
CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Score
0.07%
22.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | aws/aws-sdk-go | 0, 0 |
| amazon | aws_software_development_kit | 0, 0 |
| github.com/aws/aws-sdk-go | github.com/aws/aws-sdk-go/service/s3/s3crypto | 0, 0 |
Timeline
- Jul 1, 2022 CVE Published
- Dec 28, 2022 EPSS Score
- Dec 28, 2022 PoC Published
- Feb 7, 2023 EPSS Score
- Feb 9, 2023 CVE Updated
- Mar 7, 2023 EPSS Score
- Mar 21, 2023 EPSS Score
- May 1, 2023 EPSS Score
- Jun 11, 2023 EPSS Score
- Jul 22, 2023 EPSS Score
- Sep 2, 2023 EPSS Score
- Oct 13, 2023 EPSS Score
References
- https://github.com/aws/aws-sdk-go/commit/35fa6ddf45c061e0f08d3a3b5119f8f4da38f6d1 url
- https://pkg.go.dev/vuln/GO-2022-0391 url
- https://github.com/google/security-research/security/advisories/GHSA-76wf-9vgp-pj7w url
- https://nvd.nist.gov/vuln/detail/CVE-2022-2582 advisory
- https://github.com/aws/aws-sdk-go package