CVE-2018-9057

EPSS 0.49%
Published 27.03.2018 18:29:00
Last modified 21.11.2024 04:14:53
Source cve@mitre.org
Teams watchlist Login
Open Login

aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Hashicorp ≫ Terraform SwPlatformaws Version <= 1.12.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.49%	0.646

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-332 Insufficient Entropy in PRNG

The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.

https://github.com/terraform-providers/terraform-provider-aws/pull/3934

Patch

Third Party Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2018-9057

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-9057

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-9057

EUVD