CVE-2015-4082

MEDIUM

Attic < 0.14 - Access Control

Title source: rule

Description

attic before 0.15 does not confirm unencrypted backups with the user, which allows remote attackers with read and write privileges for the encrypted repository to obtain potentially sensitive information by changing the manifest type byte of the repository to "unencrypted / without key file".

References (4)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2015/05/31/3

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/74821

[Third Party Advisory] https://github.com/jborg/attic/commit/78f9ad1faba7193ca7f0acccbc13b1ff6ebf9072

View Writeup ZIP pw:eip

[Exploit, Third Party Advisory] https://github.com/jborg/attic/issues/271

Scores

CVSS v3 6.5

EPSS 0.0086

EPSS Percentile 74.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-264

Status published

Products (3)

attic_project/attic < 0.14

n/a/n/a

pypi/attic < 0.15PyPI

Published Aug 18, 2017

Tracked Since Feb 18, 2026