-
Type:
Vulnerability
-
Resolution: Done
-
Priority:
Major - P3
-
Affects Version/s: None
-
Component/s: None
-
None
-
pkg:golang/github.com/aws/aws-sdk-go@v1.53.11
-
Tools and Replicator
-
master
Priority from VULN: Low
This is a copy of the linked VULN ticket issue. You only need to update this ticket and the VULN ticket will be synced accordingly.
Vulnerability Details
The following vulnerabilities were found in the third party component pkg:golang/github.com/aws/aws-sdk-go@v1.53.11 used in the repo: https://github.com/mongodb/mongo-tools:
CVE | Severity | CVSS | Fixed Version(s) |
CVE-2020-8911 | Medium | 6 | None |
CVE-2020-8912 | Low | 3 | None |
How do I fix this?
Currently, there is no fix/remediation available for the above vulnerabilitie(s) as per our vulnerability scanner. To take action on this ticket, it is recommended to do the following:
- Refer to the reference links below to see if there actually is a fix available that was not captured by the scanner or to see if a fix is actively being worked on.
- Consider submitting a PR to the third-party/open source respository to resolve the vulnerability, if possible.
- Ensure that the library is still being maintained. If the library is no longer maintained, it is highly recommended to utilize a new library.
If you have gone through the above list and it's still not clear how to action this ticket, you should investigate if your application is affected by the vulnerabilities referenced in this ticket. If it is not affected, you can mark this ticket as a false positive.
If you need additional assistance, please reach out in the #secure-sdlc-program channel.
References:
- https://github.com/google/security-research/security/advisories/GHSA-f5pg-7wfw-84q9
- https://github.com/aws/aws-sdk-go/commit/1e84382fa1c0086362b5a4b68e068d4f8518d40e
- https://github.com/aws/aws-sdk-go/commit/ae9b9fd92af132cfd8d879809d8611825ba135f4
- https://github.com/aws/aws-sdk-go/pull/3403
- https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09
- https://bugzilla.redhat.com/show_bug.cgi?id=1869800
- https://github.com/sophieschmieg/exploits/tree/master/aws_s3_crypto_poc
Tool Description: A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.
🔥 Please see go/vuln-flow for detailed guidance.