Insecure Defaults

Affecting github.com/hashicorp/packer/builder/amazon/common package, versions <1.3.0

Overview

github.com/hashicorp/packer/builder/amazon/common is a tool for creating identical machine images for multiple platforms from a single source configuration.

Affected versions of the package are vulnerable to Insecure Defaults. It does not require the owners flag when describing images, which makes it easier for remote attackers to trigger the loading of an undesired AMI by setting similar image properties.

You can read more about Insecure Defaults on our blog.

Remediation

Upgrade github.com/hashicorp/packer/builder/amazon/common to version 1.3.0 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Credit
Unknown
CVE
CVE-2018-15869
CWE
CWE-453
Snyk ID
SNYK-GOLANG-GITHUBCOMHASHICORPPACKERBUILDERAMAZONCOMMON-50085
Disclosed
14 Aug, 2018
Published
29 Aug, 2018