CVE-2018-12088

Published: Jun 10, 2018Modified: Nov 21, 2024

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

S3QL before 2.27 mishandles checksumming, and consequently allows replay attacks in which an attacker who controls the backend can present old versions of the filesystem metadata database as up-to-date, temporarily inject zero-valued bytes into files, or temporarily hide parts of files. This is related to the checksum_basic_mapping function.

Affected (1)

Products: S3ql Project: S3ql

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
S3ql Project S3ql	Before 2.27

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (6)

https://bitbucket.org/nikratio/s3ql/commits/85aba5c2d5c81453a73a50ed638adaeef0521020

Source: cve@mitre.org

PatchThird Party Advisory

https://bitbucket.org/nikratio/s3ql/issues/272/t3_verifypy-test_retrieve-sometimes-fails

Source: cve@mitre.org

ExploitThird Party Advisory

https://groups.google.com/forum/#%21topic/s3ql/4TzCVIMkA4o

Source: cve@mitre.org

https://bitbucket.org/nikratio/s3ql/commits/85aba5c2d5c81453a73a50ed638adaeef0521020

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://bitbucket.org/nikratio/s3ql/issues/272/t3_verifypy-test_retrieve-sometimes-fails

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://groups.google.com/forum/#%21topic/s3ql/4TzCVIMkA4o

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.