Description
aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password.
References (1)
Core 1
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/terraform-providers/terraform-provider-aws/pull/3934
Scores
CVSS v3
9.8
EPSS
0.0046
EPSS Percentile
64.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-332
Status
published
Products (2)
hashicorp/terraform
< 1.12.0
hashicorp/terraform-provider-aws
0 - 1.14.0Go
Published
Mar 27, 2018
Tracked Since
Feb 18, 2026