CVE-2018-12088

S3QL before 2.27 mishandles checksumming, and consequently allows replay attacks in which an attacker who controls the backend can present old versions of the filesystem metadata database as up-to-date, temporarily inject zero-valued bytes into files, or temporarily hide parts of files. This is related to the checksum_basic_mapping function.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 50%
VendorProductVersion
s3ql_projects3ql
𝑥
< 2.27
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
s3ql
sid
3.7.3+dfsg-2
fixed
stretch
ignored
jessie
ignored
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
s3ql
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
ignored
hirsute
ignored
groovy
ignored
focal
needs-triage
eoan
ignored
disco
ignored
cosmic
ignored
bionic
needs-triage
artful
ignored
xenial
needs-triage
trusty
dne
Common Weakness Enumeration
References
https://bitbucket.org/nikratio/s3ql/commits/85aba5c2d5c81453a73a50ed638adaeef0521020
https://bitbucket.org/nikratio/s3ql/issues/272/t3_verifypy-test_retrieve-sometimes-fails
https://groups.google.com/forum/#%21topic/s3ql/4TzCVIMkA4o
https://bitbucket.org/nikratio/s3ql/commits/85aba5c2d5c81453a73a50ed638adaeef0521020
https://bitbucket.org/nikratio/s3ql/issues/272/t3_verifypy-test_retrieve-sometimes-fails
https://groups.google.com/forum/#%21topic/s3ql/4TzCVIMkA4o