Description
The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it.
References (2)
Core 2
Core References
Patch, Third Party Advisory
https://github.com/aws/aws-sdk-go/commit/35fa6ddf45c061e0f08d3a3b5119f8f4da38f6d1
Exploit, Patch, Third Party Advisory
https://pkg.go.dev/vuln/GO-2022-0391
Scores
CVSS v3
4.3
EPSS
0.0048
EPSS Percentile
37.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-326
Status
published
Products (2)
amazon/aws_software_development_kit
< 1.34.0
aws/aws-sdk-go
0 - 1.34.0Go
Published
Dec 27, 2022
Tracked Since
Feb 18, 2026