AWS S3 Encryption Client Go Vulnerability

MEDIUM (5.3) No Patch
cwe-327amazon-s3-encryption-client-goawscryptographyencryption-bypassgo

Threat Intelligence

Low Risk
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

The Amazon S3 Encryption Client for Go is a library used to encrypt data in Amazon S3. The vulnerability allows an attacker with write access to the S3 bucket to introduce a new encryption key that decrypts to different plaintext, potentially exposing sensitive data.

Am I affected?

You're affected if you use Missing cryptographic key commitment. Specific version info not stated in the advisory. If you don't recognise this software, you're probably not affected.

Affected Packages

go: github.com/aws/amazon-s3-encryption-client-go

Affected Products

Amazon Web Services / Amazon S3 Encryption Client for Go

How to fix

To mitigate this issue, upgrade Amazon S3 Encryption Client for Go to version 4.0 or later.

  • Visit the GitHub releases page to download the patched version.
  • If you can't upgrade immediately, restrict network access to your S3 bucket and monitor for suspicious activity.

References