Vulnerability CVE-2015-4082


Published: 2017-08-18

Description:
attic before 0.15 does not confirm unencrypted backups with the user, which allows remote attackers with read and write privileges for the encrypted repository to obtain potentially sensitive information by changing the manifest type byte of the repository to "unencrypted / without key file".

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Attic project -> Attic 

 References:
http://www.openwall.com/lists/oss-security/2015/05/31/3
http://www.securityfocus.com/bid/74821
https://github.com/jborg/attic/commit/78f9ad1faba7193ca7f0acccbc13b1ff6ebf9072
https://github.com/jborg/attic/issues/271

Copyright 2021, cxsecurity.com

 

Back to Top