7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
59.4%
Some uses of git-annex were vulnerable to a private data exposure
and exfiltration attack. It could expose the content of files
located outside the git-annex repository, or content from a
private web server on localhost or the LAN. Joey Hess discovered
this attack.
To perform this attack, the attacker needs to have control over one
of the remotes of the victim’s git-annex repository. For example,
they may provide a public git-annex repository that the victim
clones. Or, equivalantly, the attacker could have read access to the
victim’s git-annex repository or a repository it pushes to, and
some channel to get commits into it (e.g. pull requests).
These exploits are most likely to succeed when the victim is running
the git-annex
assistant, or is periodically running git annex sync --content
.
To perform the attack the attacker runs git-annex addurl --relaxed file:///etc/passwd
and commits this to the repository in some out
of the way place. After the victim’s git repository receives that
change, git-annex
follows the attacker-provided URL to the private
data, which it stores in the git-annex repository. From there it
transfers the content to the remote git-annex repository that the
attacker has access to.
As well as file:///
URLs, the attacker can use URLs to private web
servers. The URL can also be one that the attacker controls, that
redirects to a URL that is accessible to the victim system (and not
necessarily the compromised remote).
The issue was fixed by making git-annex
refuse to follow
file:///
urls and URLs pointing to private/local IP addresses by
default. Two new configuration settings,
annex.security.allowed-url-schemes
and
annex.security.allowed-ip-addresses
, can relax this security
policy, and are intended for cases where the git-annex repository
is kept private and so the attack does not apply.
One variant of this issue can exploit a vulnerable external special
remote, and could not be prevented by git-annex
. (git-annex
’s
own built-in special remotes are not vulnerable to this attack.)
In this attack variant, the attacker guesses the hash of a file
stored on the victim’s private web server, and adds it to the
git-annex
repository. The attacker also has control of the server
hosting an encrypted special remote used by the victim’s git-annex
repository. They cause that server to redirect to the victim’s web
server. This allows the attacker to verify if the victim’s web
server contains a file that the attacker already knows the content
of, assuming they can guess the URL to it.
Developers of external special remotes are encouraged to prevent
this attack by not following such HTTP redirects.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
59.4%