CVE-2022-2582
Information Disclosure vulnerability in aws-sdk-go (Go)
What is CVE-2022-2582 About?
The AWS S3 Crypto SDK, in older versions, exposes an unencrypted plaintext hash alongside ciphertext as a metadata field. This vulnerability allows an attacker who can read this hash to brute force the original plaintext data. Exploitation is feasible if the hash is accessible to the attacker.
Affected Software
Technical Details
The vulnerability lies in the AWS S3 Crypto SDK's handling of encrypted objects. Prior to AWS blocking this behavior, older versions of the SDK would include an unencrypted hash of the original plaintext data as a metadata field when uploading objects to S3. This hash, if accessible to an attacker who also has access to the encrypted data, can be used to mount a brute-force attack. The attacker can encrypt various guesses for the plaintext, calculate their hashes, and compare them against the exposed unencrypted hash. A match confirms the plaintext, effectively breaking confidentiality without needing to compromise the encryption key directly. The attack vector is the ability to read S3 object metadata.
What is the Impact of CVE-2022-2582?
Successful exploitation may allow attackers to decrypt or discover the contents of encrypted data by brute force, leading to a breach of data confidentiality.
What is the Exploitability of CVE-2022-2582?
Exploitation requires the attacker to have read access to the S3 object's metadata, specifically the unencrypted hash, and potentially the associated ciphertext. No direct authentication to the vulnerable application handling encryption is necessarily required, but access to the S3 bucket or its contents is a prerequisite. This is a remote exploitation scenario, dependent on the attacker's ability to access S3 object metadata. The complexity of brute-forcing the plaintext depends on the strength of the plaintext and the computational resources available to the attacker. The primary constraint is obtaining the hash value. The likelihood of exploitation is increased if S3 bucket permissions are overly permissive, allowing unauthorized parties to read object metadata.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-2582?
Available Upgrade Options
- github.com/aws/aws-sdk-go
- <1.34.0 → Upgrade to 1.34.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-2582
- https://github.com/aws/aws-sdk-go/commit/35fa6ddf45c061e0f08d3a3b5119f8f4da38f6d1
- https://github.com/aws/aws-sdk-go/commit/35fa6ddf45c061e0f08d3a3b5119f8f4da38f6d1
- https://pkg.go.dev/vuln/GO-2022-0391
- https://osv.dev/vulnerability/GHSA-6jvc-q2x7-pchv
- https://github.com/aws/aws-sdk-go
- https://pkg.go.dev/vuln/GO-2022-0391
What are Similar Vulnerabilities to CVE-2022-2582?
Similar Vulnerabilities: CVE-2019-15822 , CVE-2016-10534 , CVE-2018-1000213 , CVE-2019-14264 , CVE-2020-14631
