{"containers": {"cna": {"affected": [{"product": "AWS S3 Crypto SDK for GoLang", "vendor": "Google LLC", "versions": [{"lessThanOrEqual": "V1", "status": "affected", "version": "stable", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Sophie Schmieg"}], "descriptions": [{"lang": "en", "value": "A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-327", "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-08-11T19:20:13", "orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/google/security-research/security/advisories/GHSA-f5pg-7wfw-84q9"}], "source": {"discovery": "EXTERNAL"}, "title": "CBC padding oracle in AWS S3 Crypto SDK for GoLang", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@google.com", "ID": "CVE-2020-8911", "STATE": "PUBLIC", "TITLE": "CBC padding oracle in AWS S3 Crypto SDK for GoLang"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "AWS S3 Crypto SDK for GoLang", "version": {"version_data": [{"version_affected": "<=", "version_name": "stable", "version_value": "V1"}]}}]}, "vendor_name": "Google LLC"}]}}, "credit": [{"lang": "eng", "value": "Sophie Schmieg"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm"}]}]}, "references": {"reference_data": [{"name": "https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09", "refsource": "CONFIRM", "url": "https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09"}, {"name": "https://github.com/google/security-research/security/advisories/GHSA-f5pg-7wfw-84q9", "refsource": "CONFIRM", "url": "https://github.com/google/security-research/security/advisories/GHSA-f5pg-7wfw-84q9"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:12:11.063Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/google/security-research/security/advisories/GHSA-f5pg-7wfw-84q9"}]}]}, "cveMetadata": {"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "assignerShortName": "Google", "cveId": "CVE-2020-8911", "datePublished": "2020-08-11T19:20:14", "dateReserved": "2020-02-12T00:00:00", "dateUpdated": "2024-08-04T10:12:11.063Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amazon:aws_s3_crypto_sdk:*:*:*:*:*:golang:*:*", "matchCriteriaId": "6DA4DBDE-9779-48A4-AE06-E000069FC72F", "versionEndExcluding": "2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de tipo padding oracle en AWS S3 Crypto SDK para GoLang versiones anteriores a la versi\u00f3n V2. El SDK permite a los usuarios cifrar archivos con AES-CBC sin calcular un Message Authentication Code (MAC), que entonces permite a un atacante que tiene acceso de escritura al dep\u00f3sito S3 del objetivo y puede observar si un endpoint con acceso a la clave puede descifrar un archivo, pueden reconstruir el texto plano con (en promedio) consultas 128*length (en texto sin formato) al endpoint, aprovechando la capacidad de CBC para manipular los bytes del siguiente bloque y los errores de relleno de PKCS5. Se recomienda actualizar su SDK a la versi\u00f3n V2 o posterior y volver a cifrar sus archivos"}], "id": "CVE-2020-8911", "lastModified": "2020-08-18T13:37:59.087", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.1, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.1, "impactScore": 4.0, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2020-08-11T20:15:13.230", "references": [{"source": "cve-coordination@google.com", "tags": ["Vendor Advisory"], "url": "https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09"}, {"source": "cve-coordination@google.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/google/security-research/security/advisories/GHSA-f5pg-7wfw-84q9"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-327"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-327"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2021:3851", "cpe": "cpe:/a:redhat:3scale_amp:2.11::el7", "package": "3scale-amp2/3scale-rhel7-operator:1.14.0-4", "product_name": "3scale API Management 2.11 on RHEL 7", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3851", "cpe": "cpe:/a:redhat:3scale_amp:2.11::el7", "package": "3scale-amp2/3scale-rhel7-operator-metadata:2.11.0-16", "product_name": "3scale API Management 2.11 on RHEL 7", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3851", "cpe": "cpe:/a:redhat:3scale_amp:2.11::el7", "package": "3scale-amp2/apicast-rhel7-operator:1.14.0-3", "product_name": "3scale API Management 2.11 on RHEL 7", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3851", "cpe": "cpe:/a:redhat:3scale_amp:2.11::el7", "package": "3scale-amp2/apicast-rhel7-operator-metadata:2.11.0-9", "product_name": "3scale API Management 2.11 on RHEL 7", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3851", "cpe": "cpe:/a:redhat:3scale_amp:2.11::el7", "package": "3scale-amp2/memcached-rhel7:1.4.16-38", "product_name": "3scale API Management 2.11 on RHEL 7", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3851", "cpe": "cpe:/a:redhat:3scale_amp:2.11::el7", "package": "3scale-amp2/system-rhel7:1.15.0-8", "product_name": "3scale API Management 2.11 on RHEL 7", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3851", "cpe": "cpe:/a:redhat:3scale_amp:2.11::el8", "package": "3scale-amp2/apicast-gateway-rhel8:1.20.0-6", "product_name": "3scale API Management 2.11 on RHEL 8", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3851", "cpe": "cpe:/a:redhat:3scale_amp:2.11::el8", "package": "3scale-amp2/backend-rhel8:1.14.0-3", "product_name": "3scale API Management 2.11 on RHEL 8", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3851", "cpe": "cpe:/a:redhat:3scale_amp:2.11::el8", "package": "3scale-amp2/toolbox-rhel8:1.6.0-7", "product_name": "3scale API Management 2.11 on RHEL 8", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3851", "cpe": "cpe:/a:redhat:3scale_amp:2.11::el8", "package": "3scale-amp2/zync-rhel8:1.14.0-3", "product_name": "3scale API Management 2.11 on RHEL 8", "release_date": "2021-10-14T00:00:00Z"}], "bugzilla": {"description": "aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto SDK for golang", "id": "1869800", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869800"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-327", "details": ["A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.", "A flaw was found in the AWS S3 Crypto SDK that allows users to encrypt files stored in S3 buckets with AES-CBC, without computing a MAC on the data. This allows for a padding oracle, enabling attackers with both write access to the target S3 bucket and the ability to observe the result of valid decryption attempts to potentially recover original plaintext. This is not an issue if files in S3 buckets are not encrypted with CBC mode, which is disabled in V2 of the AWS S3 Crypto SDK."], "name": "CVE-2020-8911", "package_state": [{"cpe": "cpe:/a:redhat:amq_interconnect:1", "fix_state": "Will not fix", "package_name": "amq-cert-manager-container", "product_name": "A-MQ Interconnect 1"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "CLI", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "knative-eventing", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "knative-serving", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-operator", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "awk-sdk-go", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Not affected", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:rhmt:1.2", "fix_state": "Not affected", "package_name": "rhmtc/openshift-migration-controller-rhel8", "product_name": "Red Hat Cluster Application Migration"}, {"cpe": "cpe:/a:redhat:rhmt:1.2", "fix_state": "Not affected", "package_name": "rhmtc/openshift-migration-registry-rhel8", "product_name": "Red Hat Cluster Application Migration"}, {"cpe": "cpe:/a:redhat:rhmt:1.2", "fix_state": "Not affected", "package_name": "rhmtc/openshift-migration-velero-plugin-for-aws-rhel8", "product_name": "Red Hat Cluster Application Migration"}, {"cpe": "cpe:/a:redhat:rhmt:1.2", "fix_state": "Not affected", "package_name": "rhmtc/openshift-migration-velero-restic-restore-helper-rhel8", "product_name": "Red Hat Cluster Application Migration"}, {"cpe": "cpe:/a:redhat:rhmt:1.2", "fix_state": "Not affected", "package_name": "rhmtc/openshift-migration-velero-rhel8", "product_name": "Red Hat Cluster Application Migration"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "integration-service-registry-operator-container", "product_name": "Red Hat Integration Service Registry"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "dv-operator-container", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "atomic-openshift-cluster-autoscaler", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "golang-github-prometheus-prometheus", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "openshift3/grafana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-aws-ebs-csi-driver-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-aws-machine-controllers", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-baremetal-installer-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-cli", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-cli-artifacts", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-cluster-autoscaler", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-cluster-image-registry-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-cluster-ingress-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-coredns", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-efs-provisioner-rhel7", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-hyperkube", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-installer", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-installer-artifacts", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-kube-etcd-signer-server", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-ansible-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-helm-container-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-reporting-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-prometheus", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-thanos-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-vertical-pod-autoscaler-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift-clients", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift-enterprise-node-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "mcg", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/mcg-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "multi-cloud-object-gateway-cli", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "noobaa-operator-container", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "rhgs3/rhgs-gluster-block-prov-rhel7", "product_name": "Red Hat Storage 3"}], "public_date": "2020-08-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-8911\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8911\nhttps://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09\nhttps://github.com/google/security-research/security/advisories/GHSA-f5pg-7wfw-84q9"], "statement": "The following products include components that use the AWS SDK (aws/aws-sdk-go), however they do not include code that encrypts or decrypts files in S3 buckets (aws/aws-sdk-go/service/s3/s3crypto). The below products are not affected by this flaw:\n* Red Hat Cluster Application Migration\n* Red Hat OpenShift Container Platform\n* Red Hat OpenShift ServiceMesh\n* Red Hat OpenShift Container Storage\n* Red Hat Ceph Storage\n* Red Hat Gluster Storage", "threat_severity": "Moderate", "upstream_fix": "github.com/aws/aws-sdk-go v1.34.0"}