CVE-2022-2582: Exposure of unencrypted plaintext hash in github.com/aws/aws-sdk-go
First published: Tue Dec 27 2022(Updated: )
The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it.
Credit: security@golang.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Amazon Aws Software Development Kit | <1.34.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-2582?
CVE-2022-2582 is a vulnerability in the AWS S3 Crypto SDK that sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field.
What is the severity of CVE-2022-2582?
CVE-2022-2582 has a severity level of medium, with a CVSS score of 4.3.
Which versions of the AWS SDK are affected by CVE-2022-2582?
Versions up to and excluding 1.34.0 of the Amazon AWS Software Development Kit (SDK) are affected by CVE-2022-2582.
Has AWS addressed the vulnerability?
Yes, AWS has fixed the vulnerability and now blocks the metadata field that contains the unencrypted hash.
How can I fix CVE-2022-2582?
To fix CVE-2022-2582, update your AWS SDK to version 1.34.0 or later.
- collector/nvd-index
- agent/references
- agent/type
- agent/remedy
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/weakness
- agent/title
- agent/severity
- agent/last-modified-date
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/amazon
- canonical/amazon aws software development kit