CVE-2018-9057
HashiCorp Terraform Amazon Web Services (AWS) uses an insecure PRNG
9.8
CRITICAL
CVSS 3.1
EPSS 0.46%
Description
aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password.
How to fix CVE-2018-9057
To remediate CVE-2018-9057, upgrade the affected package to a fixed version below.
- —upgrade to 1.14.0 or later
Is CVE-2018-9057 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.14.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (7)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-9057
- PATCHgithub.com/hashicorp/terraform-provider-aws
- WEBgithub.com/hashicorp/terraform-provider-aws/blob/02b039aa82dd7fc6e4a97a0922cc5dbbab724021/resource_aws_iam_user_login_profile.go#L70-L80
- WEBgithub.com/hashicorp/terraform-provider-aws/commit/efa8cd45c6484ff70b2a515ea7ff06f2459d4ddf