Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01eDZxLWZmd2otOHZjZs4AAaay
attic has improper verification of unencrypted backups
attic before 0.15 does not confirm unencrypted backups with the user, which allows remote attackers with read and write privileges for the encrypted repository to obtain potentially sensitive information by changing the manifest type byte of the repository to "unencrypted / without key file".
Permalink: https://github.com/advisories/GHSA-5x6q-ffwj-8vcfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01eDZxLWZmd2otOHZjZs4AAaay
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 17 days ago
CVSS Score: 6.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-5x6q-ffwj-8vcf, CVE-2015-4082
References:
- https://nvd.nist.gov/vuln/detail/CVE-2015-4082
- https://github.com/jborg/attic/issues/271
- https://github.com/jborg/attic/commit/78f9ad1faba7193ca7f0acccbc13b1ff6ebf9072
- http://www.openwall.com/lists/oss-security/2015/05/31/3
- https://web.archive.org/web/20200517225455/http://www.securityfocus.com/bid/74821
- https://github.com/advisories/GHSA-5x6q-ffwj-8vcf
Blast Radius: 0.0
Affected Packages
pypi:attic
Dependent packages: 0Dependent repositories: 1
Downloads: 56 last month
Affected Version Ranges: < 0.15
Fixed in: 0.15
All affected versions: 0.6.1, 0.8.1
All unaffected versions: