CVE-2022-2582

ADVISORY - github

Summary

The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it.

EPSS Score⁠: 0.00082 (0.250)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-326⁠

Inadequate Encryption Strength

ADVISORY - github

CWE-326⁠

Inadequate Encryption Strength

ADVISORY - gitlab

CWE-1035⁠

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-326⁠

Inadequate Encryption Strength

CWE-937⁠

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.