CVE-2015-4082 Information

Description

attic before 0.15 does not confirm unencrypted backups with the user which allows remote attackers with read and write privileges for the encrypted repository to obtain potentially sensitive information by changing the manifest type byte of the repository to \unencrypted / without key file.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Reference

http://www.openwall.com/lists/oss-security/2015/05/31/3 http://www.securityfocus.com/bid/74821 https://github.com/jborg/attic/commit/78f9ad1faba7193ca7f0acccbc13b1ff6ebf9072 https://github.com/jborg/attic/issues/271

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

6.5