In-band key negotiation issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go
Overview
Source
ID
GO-2022-0635
Aliases
CVE-2020-8912
GHSA-7f33-f4f5-xwgw
Affected package
Description
A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.
Impact
Reference links
Summary
41.16k
Total packages affected
help_outline
Packages with at least one version that is affected by the advisory or has an affected dependency.
2.19k
Packages with a known fix
help_outline
Packages with versions affected by the advisory that have a greater version that is not affected.
3.07%
Total ecosystem affected
help_outline
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
Affected Version: Introduced: 0
Affected