CVE-2022-2582: 
Wolfi vulnerability analysis and mitigation

CVE-2022-2582 affects the AWS S3 Crypto SDK, specifically versions before v1.34.0. The vulnerability was discovered in July 2022 and publicly disclosed on December 27, 2022. The issue affects the AWS SDK for Go (aws-sdk-go) package, particularly its S3 encryption functionality (NVD, Go Vuln DB).

The vulnerability stems from the AWS S3 Crypto SDK sending an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This implementation has a CVSS v3.1 Base Score of 4.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The issue specifically affects six functions in the s3crypto package including DecryptionClient.GetObject, EncryptionClient.PutObject, and their related methods (Go Vuln DB).

If an attacker has access to read the metadata field, they could potentially brute force the original plaintext by using the exposed hash. This creates a security weakness that could lead to unauthorized access to encrypted data (NVD).

AWS has addressed this vulnerability by blocking the metadata field that contained the unencrypted hash. Users should upgrade to aws-sdk-go version 1.34.0 or later to receive the fix. The patch was implemented through a commit that introduces new encryption and decryption clients (EncryptionClientV2 and DecryptionClientV2) which support a new key wrapping algorithm 'kms+context' (AWS SDK Commit).