CVE-2018-9057: Insufficient Entropy in PRNG
(updated )
aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password.
References
- github.com/advisories/GHSA-r48h-jr2j-9g78
- github.com/hashicorp/terraform-provider-aws/blob/02b039aa82dd7fc6e4a97a0922cc5dbbab724021/resource_aws_iam_user_login_profile.go
- github.com/hashicorp/terraform-provider-aws/commit/efa8cd45c6484ff70b2a515ea7ff06f2459d4ddf
- github.com/hashicorp/terraform-provider-aws/pull/3934
- github.com/hashicorp/terraform-provider-aws/pull/3989
- github.com/terraform-providers/terraform-provider-aws/pull/3934
- nvd.nist.gov/vuln/detail/CVE-2018-9057
Code Behaviors & Features
Detect and mitigate CVE-2018-9057 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →