CVE-2018-9057 – github.com/hashicorp/terraform-provider-aws

Package

Manager: go
Name: github.com/hashicorp/terraform-provider-aws
Vulnerable Version: >=0 <1.14.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00437 pctl0.62173

Details

HashiCorp Terraform Amazon Web Services (AWS) uses an insecure PRNG aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password.

Metadata

Created: 2022-05-14T03:29:43Z
Modified: 2024-02-21T23:19:35Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r48h-jr2j-9g78/GHSA-r48h-jr2j-9g78.json
CWE IDs: ["CWE-332"]
Alternative ID: GHSA-r48h-jr2j-9g78
Finding: F124
Auto approve: 1