7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
59.4%
A malicious server for a special remote could trick git-annex
into
decrypting a file that was encrypted to the user’s GPG key. This
attack could be used to expose encrypted data that was never stored
in git-annex. Daniel Dent discovered this attack in collaboration
with Joey Hess.
To perform this attack the attacker needs control of a server
hosting an encrypted special remote used by the victim’s
git-annex repository. The attacker uses git annex addurl --relaxed
with an innocuous URL, and waits for the user’s
git-annex
to download it, and upload an (encrypted) copy to the
special remote they also control. At some later point, when the
user downloads the content from the special remote, the attacker
instead sends them the content of the GPG-encrypted file that they
wish to have decrypted in its place (which may have been exfiltrated
from the victim’s system via the attack described in
HSEC-2023-0010 /CVE-2018-10857, or acquired by other
means). Finally, the attacker drops their own copy of the original
innocuous URL, and waits for the victim git-annex
to send them the
accidentially decrypted file.
The issue was fixed by making git-annex
refuse to download
encrypted content from special remotes, unless it knows the hash of
the expected content. When the attacker provides some other
GPG-encrypted content, it will fail the hash check and be discarded.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
59.4%