CVE-2018-9057

Name of the Vulnerable Software and Affected Versions HashiCorp Terraform Amazon Web Services (AWS) provider versions prior to v1.13.0, but since the exact fixed version is not specified, we consider versions prior to v1.12.0 as vulnerable, however the description only mentions through v1.12.0. HashiCorp Terraform Amazon Web Services (AWS) provider versions through v1.12.0

Description The issue is related to an inappropriate PRNG algorithm and seeding in the aws/resource aws iam user login profile.go file of the HashiCorp Terraform Amazon Web Services (AWS) provider. This makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password.

Recommendations For HashiCorp Terraform Amazon Web Services (AWS) provider versions through v1.12.0, consider updating to a version later than v1.12.0 to mitigate the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.