We have even confirmed with AWS themselves that the V1 clients which are still part of the SDK are still vulnerable to this issue.
They have decided to keep them in the library and accessible for compatibility reasons.
If you can update the status for your VULN DB for this library, that will make it easier for teams and projects to understand the risk, and hopefully encourage them to upgrade to V2.
Report ID
GO-2022-0646
Suggestion/Comment
Hello team,
I wanted to let you know that we've recently become aware that
aws-sdk-gois still vulnerable to CVE-2020-8911.CVE-2020-8911 is listed as an alias of GO-2022-0646, which I think might not be true as they are different vulnerabilities, I believe.
You can see where some other sites classify even the latest version of this library as still vulnerable: https://nvd.nist.gov/vuln/detail/cve-2020-8911
https://www.cve.org/CVERecord?id=CVE-2020-8911
We have even confirmed with AWS themselves that the V1 clients which are still part of the SDK are still vulnerable to this issue. They have decided to keep them in the library and accessible for compatibility reasons.
If you can update the status for your VULN DB for this library, that will make it easier for teams and projects to understand the risk, and hopefully encourage them to upgrade to V2.
Regards, James Mackie