CVE-2018-12088

Description

S3QL before 2.27 mishandles checksumming, and consequently allows replay attacks in which an attacker who controls the backend can present old versions of the filesystem metadata database as up-to-date, temporarily inject zero-valued bytes into files, or temporarily hide parts of files. This is related to the checksum_basic_mapping function.

How to fix CVE-2018-12088

To remediate CVE-2018-12088, upgrade the affected package to a fixed version below.

—upgrade to 2.27.1+dfsg-1 or later

Is CVE-2018-12088 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.27.1+dfsg-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-12088