medium

Signature version 1 (SigV1) is insecure

Published Thu, Dec 18th, 2008

Platforms

Summary

When making authenticated API requests to AWS, the requests must be signed with your AWS access key. The initial signing algorithm, SigV1, was vulnerable to collisions. A person-in-the-middle attack would be able to modify signed requests via specially constructed collisions.

Affected Services

N/A

Remediation

None required, SigV1 is deprecated at this point

Tracked CVEs

No tracked CVEs

References

http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html

Contributed by https://github.com/ramimac

Entry Status

Finalized

Disclosure Date

Exploitablity Period

until December 18th, 2008

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Colin Percival

More vulnerabilities...

medium

AWS CDK Bucket Squatting Risk

The AWS Cloud Development Kit (CDK) is a way of deploying infrastructure-as-code. The vulnerability involves AWS CDK’s use of a predictable S3 bucket name format (cdk-{Qualifier}-assets-{Account-ID...

Ofek Itach, Yakir Kadkoda, ...

Thu, Oct 24th, 2024

Missing JWT issuer and signer validation in ALB middleware

Miggo Security

Mon, Oct 21st, 2024

low

Data exfil via VPC endpoint denials in CloudTrail

CloudTrail delivered events to the resource owner and API caller even when the API action was denied by the VPC endpoint policy. This could have enabled a stealthy data exfiltration method in cases...

Sam Cox, Tracebit

Tue, Oct 15th, 2024

View all