{"api_version":"1","generated_at":"2026-04-23T07:55:22+00:00","cve":"CVE-2018-9057","urls":{"html":"https://cve.report/CVE-2018-9057","api":"https://cve.report/api/cve/CVE-2018-9057.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-9057","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-9057"},"summary":{"title":"CVE-2018-9057","description":"aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2018-03-27 18:29:00","updated_at":"2018-04-24 12:08:00"},"problem_types":["CWE-332"],"metrics":[],"references":[{"url":"https://github.com/terraform-providers/terraform-provider-aws/pull/3934","name":"https://github.com/terraform-providers/terraform-provider-aws/pull/3934","refsource":"MISC","tags":["Issue Tracking","Patch","Third Party Advisory"],"title":"Fix password generation in resourceAwsIamUserLoginProfile by KellerFuchs · Pull Request #3934 · hashicorp/terraform-provider-aws · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-9057","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-9057","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"9057","vulnerable":"1","versionEndIncluding":"1.12.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"hashicorp","cpe5":"terraform","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"aws","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2018-9057","qid":"901511","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for terraform (9179)"},{"cve":"CVE-2018-9057","qid":"902272","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for terraform (9179-1)"},{"cve":"CVE-2018-9057","qid":"997392","title":"GO (Go) Security Update for github.com/hashicorp/terraform-provider-aws (GHSA-r48h-jr2j-9g78)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2018-9057","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://github.com/terraform-providers/terraform-provider-aws/pull/3934","refsource":"MISC","url":"https://github.com/terraform-providers/terraform-provider-aws/pull/3934"}]}},"nvd":{"publishedDate":"2018-03-27 18:29:00","lastModifiedDate":"2018-04-24 12:08:00","problem_types":["CWE-332"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:hashicorp:terraform:*:*:*:*:*:aws:*:*","versionEndIncluding":"1.12.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"9057","Ordinal":"125448","Title":"CVE-2018-9057","CVE":"CVE-2018-9057","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"9057","Ordinal":"1","NoteData":"aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"9057","Ordinal":"2","NoteData":"2018-03-27","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"9057","Ordinal":"3","NoteData":"2018-03-27","Type":"Other","Title":"Modified"}]}}}