CVE-2015-4082

EUVD-2017-0012
attic before 0.15 does not confirm unencrypted backups with the user, which allows remote attackers with read and write privileges for the encrypted repository to obtain potentially sensitive information by changing the manifest type byte of the repository to "unencrypted / without key file".
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
Affected Products (NVD)
VendorProductVersion
attic_projectattic
𝑥
≤ 0.14
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
attic
artful
dne
bionic
dne
cosmic
dne
disco
dne
precise
dne
trusty
Fixed 0.10-1.1ubuntu0.1+esm1
released
utopic
ignored
vivid
ignored
wily
ignored
xenial
not-affected
yakkety
dne
zesty
dne
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2015/05/31/3
http://www.securityfocus.com/bid/74821
https://github.com/jborg/attic/commit/78f9ad1faba7193ca7f0acccbc13b1ff6ebf9072
https://github.com/jborg/attic/issues/271
http://www.openwall.com/lists/oss-security/2015/05/31/3
http://www.securityfocus.com/bid/74821
https://github.com/jborg/attic/commit/78f9ad1faba7193ca7f0acccbc13b1ff6ebf9072
https://github.com/jborg/attic/issues/271