Gpg decryption attack in git-annex - CVE-2018-10859
Published: July 2, 2018
Vulnerability identifier: #VU13537
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-10859
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Joey Hess
Affected software:
git-annex
git-annex
Detailed vulnerability description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to gpg decryption attack. A remote attacker can gain control of the server hosting an encrypted special remote used by the victim's git-annex repository, uses git annex addurl --relaxed with an innocuous url, trick the user's git-annex into downloading it, and uploading an (encrypted) copy to the special remote they also control, send the content of a gpg encrypted file that they wish to have decrypted in its place.
How to mitigate CVE-2018-10859
Update to version 6.20180626.