#VU55848 Information disclosure in WAL-G - CVE-2021-38599

Cybersecurity Help s.r.o.

Published: 2021-08-13

Vulnerability identifier: #VU55848

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-38599

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
WAL-G
Web applications / Modules and components for CMS

Vendor: wal-g

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the upload of cleartext backups when a non-libsodium build is used. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

WAL-G: 0.1.0 - 1.0

External links
https://github.com/wal-g/wal-g/commit/cadf598e1c2a345915a21a44518c5a4d5401e2e3
https://github.com/wal-g/wal-g/pull/1062

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in WAL-G