CVE-2022-2582

Name of the Vulnerable Software and Affected Versions AWS S3 Crypto SDK (affected versions not specified)

Description The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. The issue poses insider risks and privilege escalation risks, circumventing KMS controls for stored data. The attack is theoretically valid if the plaintext entropy is below the key size. The issue has been fully mitigated by AWS as of Aug. 5th by disallowing the header in question.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.