{"containers": {"cna": {"affected": [{"product": "AWS S3 Crypto SDK for GoLang", "vendor": "Google LLC", "versions": [{"lessThanOrEqual": "V1", "status": "affected", "version": "stable", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Sophie Schmieg"}], "descriptions": [{"lang": "en", "value": "A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-327", "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-08-11T19:20:14", "orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/google/security-research/security/advisories/GHSA-7f33-f4f5-xwgw"}], "source": {"discovery": "EXTERNAL"}, "title": "In-band key negotiation issue in AWS S3 Crypto SDK for GoLang", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@google.com", "ID": "CVE-2020-8912", "STATE": "PUBLIC", "TITLE": "In-band key negotiation issue in AWS S3 Crypto SDK for GoLang"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "AWS S3 Crypto SDK for GoLang", "version": {"version_data": [{"version_affected": "<=", "version_name": "stable", "version_value": "V1"}]}}]}, "vendor_name": "Google LLC"}]}}, "credit": [{"lang": "eng", "value": "Sophie Schmieg"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm"}]}]}, "references": {"reference_data": [{"name": "https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09", "refsource": "CONFIRM", "url": "https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09"}, {"name": "https://github.com/google/security-research/security/advisories/GHSA-7f33-f4f5-xwgw", "refsource": "CONFIRM", "url": "https://github.com/google/security-research/security/advisories/GHSA-7f33-f4f5-xwgw"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:12:10.969Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/google/security-research/security/advisories/GHSA-7f33-f4f5-xwgw"}]}]}, "cveMetadata": {"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "assignerShortName": "Google", "cveId": "CVE-2020-8912", "datePublished": "2020-08-11T19:20:14", "dateReserved": "2020-02-12T00:00:00", "dateUpdated": "2024-08-04T10:12:10.969Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amazon:aws_s3_crypto_sdk:*:*:*:*:*:golang:*:*", "matchCriteriaId": "6DA4DBDE-9779-48A4-AE06-E000069FC72F", "versionEndExcluding": "2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files."}, {"lang": "es", "value": "Se presenta una vulnerabilidad en la negociaci\u00f3n de claves in-band en AWS S3 Crypto SDK para GoLang versiones anteriores a la versi\u00f3n V2. Un atacante con acceso de escritura al dep\u00f3sito de destino puede cambiar el algoritmo de cifrado de un objeto en el dep\u00f3sito, lo que luego puede permitirle cambiar AES-GCM a AES-CTR. El uso de esto en combinaci\u00f3n con un or\u00e1culo de descifrado puede revelar la clave de autenticaci\u00f3n usada por AES-GCM ya que descifrar la etiqueta GMAC deja la clave de autenticaci\u00f3n recuperable como una ecuaci\u00f3n algebraica. Se recomienda actualizar su SDK a la versi\u00f3n V2 o posterior y volver a cifrar sus archivos"}], "id": "CVE-2020-8912", "lastModified": "2020-08-17T19:31:42.737", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 1.4, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2020-08-11T20:15:13.323", "references": [{"source": "cve-coordination@google.com", "tags": ["Vendor Advisory"], "url": "https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09"}, {"source": "cve-coordination@google.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/google/security-research/security/advisories/GHSA-7f33-f4f5-xwgw"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-327"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-327"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2021:3851", "cpe": "cpe:/a:redhat:3scale_amp:2.11::el7", "package": "3scale-amp2/3scale-rhel7-operator:1.14.0-4", "product_name": "3scale API Management 2.11 on RHEL 7", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3851", "cpe": "cpe:/a:redhat:3scale_amp:2.11::el7", "package": "3scale-amp2/3scale-rhel7-operator-metadata:2.11.0-16", "product_name": "3scale API Management 2.11 on RHEL 7", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3851", "cpe": "cpe:/a:redhat:3scale_amp:2.11::el7", "package": "3scale-amp2/apicast-rhel7-operator:1.14.0-3", "product_name": "3scale API Management 2.11 on RHEL 7", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3851", "cpe": "cpe:/a:redhat:3scale_amp:2.11::el7", "package": "3scale-amp2/apicast-rhel7-operator-metadata:2.11.0-9", "product_name": "3scale API Management 2.11 on RHEL 7", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3851", "cpe": "cpe:/a:redhat:3scale_amp:2.11::el7", "package": "3scale-amp2/memcached-rhel7:1.4.16-38", "product_name": "3scale API Management 2.11 on RHEL 7", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3851", "cpe": "cpe:/a:redhat:3scale_amp:2.11::el7", "package": "3scale-amp2/system-rhel7:1.15.0-8", "product_name": "3scale API Management 2.11 on RHEL 7", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3851", "cpe": "cpe:/a:redhat:3scale_amp:2.11::el8", "package": "3scale-amp2/apicast-gateway-rhel8:1.20.0-6", "product_name": "3scale API Management 2.11 on RHEL 8", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3851", "cpe": "cpe:/a:redhat:3scale_amp:2.11::el8", "package": "3scale-amp2/backend-rhel8:1.14.0-3", "product_name": "3scale API Management 2.11 on RHEL 8", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3851", "cpe": "cpe:/a:redhat:3scale_amp:2.11::el8", "package": "3scale-amp2/toolbox-rhel8:1.6.0-7", "product_name": "3scale API Management 2.11 on RHEL 8", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3851", "cpe": "cpe:/a:redhat:3scale_amp:2.11::el8", "package": "3scale-amp2/zync-rhel8:1.14.0-3", "product_name": "3scale API Management 2.11 on RHEL 8", "release_date": "2021-10-14T00:00:00Z"}], "bugzilla": {"description": "aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto SDK for golang", "id": "1869801", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869801"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-327", "details": ["A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.", "A flaw was found in the AWS S3 Crypto SDK where algorithm parameters for the data encryption key are not authenticated. This flaw allows attackers with S3 bucket write access to change the negotiated encryption algorithm, potentially providing viable brute force methods to recover plaintext. This is not an issue in V2 of the API or for applications not encrypting files in S3 buckets. The highest threat from this vulnerability is to confidentiality."], "name": "CVE-2020-8912", "package_state": [{"cpe": "cpe:/a:redhat:amq_interconnect:1", "fix_state": "Will not fix", "package_name": "amq-cert-manager-container", "product_name": "A-MQ Interconnect 1"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "CLI", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "knative-eventing", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "knative-serving", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-operator", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "awk-sdk-go", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Not affected", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:rhmt:1.2", "fix_state": "Not affected", "package_name": "rhmtc/openshift-migration-controller-rhel8", "product_name": "Red Hat Cluster Application Migration"}, {"cpe": "cpe:/a:redhat:rhmt:1.2", "fix_state": "Not affected", "package_name": "rhmtc/openshift-migration-registry-rhel8", "product_name": "Red Hat Cluster Application Migration"}, {"cpe": "cpe:/a:redhat:rhmt:1.2", "fix_state": "Not affected", "package_name": "rhmtc/openshift-migration-velero-plugin-for-aws-rhel8", "product_name": "Red Hat Cluster Application Migration"}, {"cpe": "cpe:/a:redhat:rhmt:1.2", "fix_state": "Not affected", "package_name": "rhmtc/openshift-migration-velero-restic-restore-helper-rhel8", "product_name": "Red Hat Cluster Application Migration"}, {"cpe": "cpe:/a:redhat:rhmt:1.2", "fix_state": "Not affected", "package_name": "rhmtc/openshift-migration-velero-rhel8", "product_name": "Red Hat Cluster Application Migration"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "dv-operator-container", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "package_name": "integration-service-registry-operator-container", "product_name": "Red Hat Integration Service Registry"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "atomic-openshift-cluster-autoscaler", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "golang-github-prometheus-prometheus", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "openshift3/grafana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-aws-ebs-csi-driver-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-aws-machine-controllers", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-baremetal-installer-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-cli", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-cli-artifacts", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-cluster-autoscaler", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-cluster-image-registry-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-cluster-ingress-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-coredns", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-efs-provisioner-rhel7", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-hyperkube", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-installer", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-installer-artifacts", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-kube-etcd-signer-server", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-ansible-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-helm-container-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-reporting-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-prometheus", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-thanos-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-vertical-pod-autoscaler-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift-clients", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift-enterprise-node-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "mcg", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/mcg-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "multi-cloud-object-gateway-cli", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "noobaa-operator-container", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "rhgs3/rhgs-gluster-block-prov-rhel7", "product_name": "Red Hat Storage 3"}], "public_date": "2020-08-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-8912\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8912\nhttps://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09\nhttps://github.com/google/security-research/security/advisories/GHSA-7f33-f4f5-xwgw"], "statement": "The following products include components that use the AWS SDK (aws/aws-sdk-go), however they do not include code that encrypts or decrypts files in S3 buckets (aws/aws-sdk-go/service/s3/s3crypto). The below products are not affected by this flaw:\n* Red Hat Cluster Application Migration\n* Red Hat OpenShift Container Platform\n* Red Hat OpenShift ServiceMesh\n* Red Hat OpenShift Container Storage\n* Red Hat Ceph Storage\n* Red Hat Gluster Storage", "threat_severity": "Low", "upstream_fix": "github.com/aws/aws-sdk-go v1.34.0"}