Insecure Defaults

Affecting github.com/hashicorp/packer/builder/amazon/common package, versions <1.3.0

medium severity

Overview

github.com/hashicorp/packer/builder/amazon/common is a tool for creating identical machine images for multiple platforms from a single source configuration.

Affected versions of the package are vulnerable to Insecure Defaults. It does not require the owners flag when describing images, which makes it easier for remote attackers to trigger the loading of an undesired AMI by setting similar image properties.

You can read more about Insecure Defaults on our blog.

Remediation

Upgrade github.com/hashicorp/packer/builder/amazon/common to version 1.3.0 or higher.

References

Do your applications use this vulnerable package?

Credit
Unknown
CVE
CVE-2018-15869
CWE
CWE-453
Snyk ID
SNYK-GOLANG-GITHUBCOMHASHICORPPACKERBUILDERAMAZONCOMMON-50085
Disclosed
14 Aug, 2018
Published
29 Aug, 2018