Vulnerability Description
S3QL before 2.27 mishandles checksumming, and consequently allows replay attacks in which an attacker who controls the backend can present old versions of the filesystem metadata database as up-to-date, temporarily inject zero-valued bytes into files, or temporarily hide parts of files. This is related to the checksum_basic_mapping function.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| S3Ql Project | S3Ql | < 2.27 |
Related Weaknesses (CWE)
References
- https://bitbucket.org/nikratio/s3ql/commits/85aba5c2d5c81453a73a50ed638adaeef052PatchThird Party Advisory
- https://bitbucket.org/nikratio/s3ql/issues/272/t3_verifypy-test_retrieve-sometimExploitThird Party Advisory
- https://groups.google.com/forum/#%21topic/s3ql/4TzCVIMkA4o
- https://bitbucket.org/nikratio/s3ql/commits/85aba5c2d5c81453a73a50ed638adaeef052PatchThird Party Advisory
- https://bitbucket.org/nikratio/s3ql/issues/272/t3_verifypy-test_retrieve-sometimExploitThird Party Advisory
- https://groups.google.com/forum/#%21topic/s3ql/4TzCVIMkA4o
FAQ
What is CVE-2018-12088?
CVE-2018-12088 is a vulnerability with a CVSS score of 7.5 (HIGH). S3QL before 2.27 mishandles checksumming, and consequently allows replay attacks in which an attacker who controls the backend can present old versions of the filesystem metadata database as up-to-dat...
How severe is CVE-2018-12088?
CVE-2018-12088 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-12088?
Check the references section above for vendor advisories and patch information. Affected products include: S3Ql Project S3Ql.