Vulnerability Description
attic before 0.15 does not confirm unencrypted backups with the user, which allows remote attackers with read and write privileges for the encrypted repository to obtain potentially sensitive information by changing the manifest type byte of the repository to "unencrypted / without key file".
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Attic Project | Attic | <= 0.14 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2015/05/31/3Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/74821Third Party AdvisoryVDB Entry
- https://github.com/jborg/attic/commit/78f9ad1faba7193ca7f0acccbc13b1ff6ebf9072Third Party Advisory
- https://github.com/jborg/attic/issues/271ExploitThird Party Advisory
- http://www.openwall.com/lists/oss-security/2015/05/31/3Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/74821Third Party AdvisoryVDB Entry
- https://github.com/jborg/attic/commit/78f9ad1faba7193ca7f0acccbc13b1ff6ebf9072Third Party Advisory
- https://github.com/jborg/attic/issues/271ExploitThird Party Advisory
FAQ
What is CVE-2015-4082?
CVE-2015-4082 is a vulnerability with a CVSS score of 6.5 (MEDIUM). attic before 0.15 does not confirm unencrypted backups with the user, which allows remote attackers with read and write privileges for the encrypted repository to obtain potentially sensitive informat...
How severe is CVE-2015-4082?
CVE-2015-4082 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-4082?
Check the references section above for vendor advisories and patch information. Affected products include: Attic Project Attic.