Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1yNDhoLWpyMmotOWc3OM4AAXCV

Critical EPSS: 0.00449% (0.62707 Percentile) EPSS:
Permalink JSON

HashiCorp Terraform Amazon Web Services (AWS) uses an insecure PRNG

Affected Packages Affected Versions Fixed Versions
go:github.com/hashicorp/terraform-provider-aws < 1.14.0 1.14.0
11 Dependent packages
107 Dependent repositories

Affected Version Ranges

All affected versions

0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.12.0, 1.13.0

All unaffected versions

1.14.0, 1.14.1, 1.15.0, 1.16.0, 1.17.0, 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.22.0, 1.23.0, 1.24.0, 1.25.0, 1.26.0, 1.27.0, 1.28.0, 1.29.0, 1.30.0, 1.31.0, 1.32.0, 1.33.0, 1.34.0, 1.35.0, 1.36.0, 1.37.0, 1.38.0, 1.39.0, 1.40.0, 1.41.0, 1.42.0, 1.43.0, 1.43.1, 1.43.2, 1.44.0, 1.45.0, 1.46.0, 1.47.0, 1.48.0, 1.49.0, 1.50.0, 1.51.0, 1.52.0, 1.53.0, 1.54.0, 1.55.0, 1.56.0, 1.57.0, 1.58.0, 1.59.0, 1.60.0

aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password.

References:

Identifiers

GHSA-r48h-jr2j-9g78

CVE-2018-9057

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.00449

EPSS Percentile: 0.62707

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/terraform-providers/terraform-provider-aws

Date and time

Published

about 3 years ago

Updated

over 1 year ago

API

JSON