CVE-2014-6274
BaseFortify
Publication date: 2025-06-26
Last updated on: 2025-08-06
Assigner: Debian GNU/Linux
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| git-annex_project | git-annex | From 3.20121126 (inc) to 5.20140919 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-311 | The product does not encrypt sensitive or critical information before storage or transmission. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2014-6274 is a security vulnerability in git-annex's S3 and Glacier remotes when the configuration option embedcreds=yes is set together with encryption=pubkey or encryption=hybrid. In this case, AWS credentials that were supposed to be encrypted are instead stored in the git repository in effectively plaintext form. This means anyone with access to the repository can extract these AWS credentials, exposing them to unauthorized use. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to your AWS resources because the AWS credentials are exposed in plaintext within the git repository. Anyone with access to the repository can extract these credentials and potentially misuse them, leading to security breaches, data loss, or unexpected charges on your AWS account. It is important to change the exposed credentials, upgrade git-annex to a fixed version, and securely re-embed the credentials to mitigate this risk. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the git-annex repository for embedded AWS credentials stored in plaintext when the configuration option embedcreds=yes is set alongside encryption=pubkey or encryption=hybrid. You can check the repository history and configuration for such credentials. While no specific detection commands are provided, reviewing the repository for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in plaintext is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate steps to mitigate this vulnerability include: 1) Changing your AWS credentials to invalidate those exposed in plaintext. 2) Upgrading to a fixed version of git-annex. 3) Re-embedding the new AWS credentials securely by setting the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables and running `git annex enableremote $remotename embedcreds=yes` to ensure credentials are encrypted. 4) Removing the plaintext credentials from the repository history by rewriting the git-annex branch history using `git annex forget`. If the repository is only accessible by trusted parties, you may choose to leave it as-is, but this is less secure. [1]