Main Vulnerability Database Vulnerabilities #VU80511

Improper verification of cryptographic signature in Borg - CVE-2023-36811

Published: September 6, 2023

Vulnerability identifier: #VU80511

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-36811

CWE-ID: CWE-347

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Borg

Software vendor:
The Borg Collective

Description

The vulnerability allows a remote user to spoof backup archived.

The vulnerability exists due to improper verification of cryptographic signature. A remote user with write access to the repository can create fake archives that will appear to be valid. This can result in data loss.

Remediation

Install updates from vendor's website.

External links

https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811
https://github.com/borgbackup/borg/commit/3eb070191da10c2d3f7bc6484cf3d51c3045f884
https://github.com/borgbackup/borg/security/advisories/GHSA-8fjr-hghr-4m99

Improper verification of cryptographic signature in Borg - CVE-2023-36811

Description

Remediation

External links

Please verify you're human