[advisory]
id = "HSEC-2023-0012"
cwe = [200]
keywords = ["historical"]

[[affected]]
package = "git-annex"
cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
[[affected.versions]]
introduced = "0.20110417"
fixed = "6.20160419"

[[references]]
type = "ADVISORY"
url = "https://git-annex.branchable.com/security/checksum_exposure_to_encrypted_special_remotes/"
[[references]]
type = "FIX"
url = "http://source.git-annex.branchable.com/?p=source.git;a=commitdiff;h=b890f3a53d936b5e40aa9acc5876cb98f18b9657"

git-annex checksum exposure to encrypted special remotes

A bug exposed the checksum of annexed files to encrypted special remotes, which are not supposed to have access to the checksum of the un-encrypted file. This only occurred when resuming uploads to the encrypted special remote, so it is considered a low-severity security hole.

For details, see commit b890f3a53d936b5e40aa9acc5876cb98f18b9657.

No CVE was assigned for this issue.

Fixed in git-annex-6.20160419.

Advisories list

git-annex checksum exposure to encrypted special remotes