CVE-2015-4082

MEDIUM

attic < 0.15 - Unauthenticated Sensitive Information Exposure via Manifest Type Byte Manipulation

Title source: llm
STIX 2.1

Description

attic before 0.15 does not confirm unencrypted backups with the user, which allows remote attackers with read and write privileges for the encrypted repository to obtain potentially sensitive information by changing the manifest type byte of the repository to "unencrypted / without key file".

References (4)

Core 4
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/jborg/attic/issues/271
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/05/31/3
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/74821

Scores

CVSS v3 6.5
EPSS 0.0247
EPSS Percentile 82.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-264
Status published
Products (2)
attic_project/attic < 0.14
pypi/attic 0 - 0.15PyPI
Published Aug 18, 2017
Tracked Since Feb 18, 2026