CVE-2015-4082
attic has improper verification of unencrypted backups
6.5
MEDIUM
CVSS 3.1
EPSS 0.86%
Description
attic before 0.15 does not confirm unencrypted backups with the user, which allows remote attackers with read and write privileges for the encrypted repository to obtain potentially sensitive information by changing the manifest type byte of the repository to "unencrypted / without key file".
How to fix CVE-2015-4082
To remediate CVE-2015-4082, upgrade the affected package to a fixed version below.
- —upgrade to 0.15 or later
- —upgrade to 78f9ad1faba7193ca7f0acccbc13b1ff6ebf9072 or later
Is CVE-2015-4082 being exploited?
Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 0.15
- from 0, < 78f9ad1faba7193ca7f0acccbc13b1ff6ebf9072 | from 0, < 0.15
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |