CVE-2021-38599

EPSS 0.17%
Veröffentlicht 12.08.2021 16:15:10
Zuletzt bearbeitet 21.11.2024 06:17:38
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

WAL-G before 1.1, when a non-libsodium build (e.g., one of the official binary releases published as GitHub Releases) is used, silently ignores the libsodium encryption key and uploads cleartext backups. This is arguably a Principle of Least Surprise violation because "the user likely wanted to encrypt all file activity."

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wal-g Project ≫ Wal-g Version < 1.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.388

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-754 Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

https://github.com/wal-g/wal-g/commit/cadf598e1c2a345915a21a44518c5a4d5401e2e3

Patch

Third Party Advisory

https://github.com/wal-g/wal-g/pull/1062

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-38599

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-38599

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-38599

EUVD