CVE-2015-4082: attic has improper verification of unencrypted backups
(updated )
attic before 0.15 does not confirm unencrypted backups with the user, which allows remote attackers with read and write privileges for the encrypted repository to obtain potentially sensitive information by changing the manifest type byte of the repository to “unencrypted / without key file”.
References
- github.com/advisories/GHSA-5x6q-ffwj-8vcf
- github.com/jborg/attic
- github.com/jborg/attic/commit/78f9ad1faba7193ca7f0acccbc13b1ff6ebf9072
- github.com/jborg/attic/issues/271
- github.com/pypa/advisory-database/tree/main/vulns/attic/PYSEC-2017-6.yaml
- nvd.nist.gov/vuln/detail/CVE-2015-4082
- web.archive.org/web/20200517225455/http://www.securityfocus.com/bid/74821
Detect and mitigate CVE-2015-4082 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →