GHSA-76wf-9vgp-pj7w: Duplicate Advisory: Unencrypted md5 plaintext hash in metadata in AWS S3 Crypto SDK for golang

February 11, 2022 (updated February 3, 2026)

The golang AWS S3 Crypto SDK was impacted by an issue that can result in loss of confidentiality. An attacker with read access to an encrypted S3 bucket was able to recover the plaintext without accessing the encryption key.

References

github.com/advisories/GHSA-76wf-9vgp-pj7w
github.com/aws/aws-sdk-go
github.com/aws/aws-sdk-go/commit/35fa6ddf45c061e0f08d3a3b5119f8f4da38f6d1
github.com/google/security-research/security/advisories/GHSA-76wf-9vgp-pj7w
pkg.go.dev/vuln/GO-2022-0391

Code Behaviors & Features

Detect and mitigate GHSA-76wf-9vgp-pj7w with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →