GHSA-5x6q-ffwj-8vcf

Suggest an improvement
Source
https://github.com/advisories/GHSA-5x6q-ffwj-8vcf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5x6q-ffwj-8vcf/GHSA-5x6q-ffwj-8vcf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5x6q-ffwj-8vcf
Aliases
Published
2022-05-17T01:57:32Z
Modified
2024-05-01T11:26:51.158710Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
attic has improper verification of unencrypted backups
Details

attic before 0.15 does not confirm unencrypted backups with the user, which allows remote attackers with read and write privileges for the encrypted repository to obtain potentially sensitive information by changing the manifest type byte of the repository to "unencrypted / without key file".

References

Affected packages

PyPI / attic

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.15

Affected versions

0.*

0.6
0.6.1
0.7
0.8
0.8.1
0.9
0.10
0.11
0.12
0.13
0.14