VYPR
Moderate severityNVD Advisory· Published Aug 11, 2020· Updated Aug 4, 2024

CBC padding oracle in AWS S3 Crypto SDK for GoLang

CVE-2020-8911

Description

A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/aws/aws-sdk-goGo
< 1.34.01.34.0

Affected products

548

Patches

Vulnerability mechanics

References

10

News mentions

0

No linked articles in our index yet.