CVE-2018-12088

EUVD-2018-4068
S3QL before 2.27 mishandles checksumming, and consequently allows replay attacks in which an attacker who controls the backend can present old versions of the filesystem metadata database as up-to-date, temporarily inject zero-valued bytes into files, or temporarily hide parts of files. This is related to the checksum_basic_mapping function.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 49%
Affected Products (NVD)
VendorProductVersion
s3ql_projects3ql
𝑥
< 2.27
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
s3ql
jessie
ignored
sid
3.7.3+dfsg-2
fixed
stretch
ignored
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
s3ql
artful
ignored
bionic
needs-triage
cosmic
ignored
disco
ignored
eoan
ignored
focal
needs-triage
groovy
ignored
hirsute
ignored
impish
ignored
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
needs-triage
Common Weakness Enumeration
References
https://bitbucket.org/nikratio/s3ql/commits/85aba5c2d5c81453a73a50ed638adaeef0521020
https://bitbucket.org/nikratio/s3ql/issues/272/t3_verifypy-test_retrieve-sometimes-fails
https://groups.google.com/forum/#%21topic/s3ql/4TzCVIMkA4o
https://bitbucket.org/nikratio/s3ql/commits/85aba5c2d5c81453a73a50ed638adaeef0521020
https://bitbucket.org/nikratio/s3ql/issues/272/t3_verifypy-test_retrieve-sometimes-fails
https://groups.google.com/forum/#%21topic/s3ql/4TzCVIMkA4o