CBC padding oracle issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go
Overview
Source
ID
GO-2022-0646
Aliases
CVE-2020-8911
GHSA-f5pg-7wfw-84q9
Affected package
Description
A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.
Impact
Reference links
Summary
41.16k
Total packages affected
help_outline
Packages with at least one version that is affected by the advisory or has an affected dependency.
2.19k
Packages with a known fix
help_outline
Packages with versions affected by the advisory that have a greater version that is not affected.
3.07%
Total ecosystem affected
help_outline
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
Affected Version: Introduced: 0
Affected