CVE-2015-4082
MEDIUMattic < 0.15 - Unauthenticated Sensitive Information Exposure via Manifest Type Byte Manipulation
Title source: llmDescription
attic before 0.15 does not confirm unencrypted backups with the user, which allows remote attackers with read and write privileges for the encrypted repository to obtain potentially sensitive information by changing the manifest type byte of the repository to "unencrypted / without key file".
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/jborg/attic/issues/271
Third Party Advisory x_refsource_confirm
https://github.com/jborg/attic/commit/78f9ad1faba7193ca7f0acccbc13b1ff6ebf9072
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/05/31/3
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/74821
Scores
CVSS v3
6.5
EPSS
0.0247
EPSS Percentile
82.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-264
Status
published
Products (2)
attic_project/attic
< 0.14
pypi/attic
0 - 0.15PyPI
Published
Aug 18, 2017
Tracked Since
Feb 18, 2026