CVE-2018-10857

Name of the Vulnerable Software and Affected Versions git-annex (affected versions not specified)

Description The issue concerns a private data exposure and exfiltration attack in git-annex. It could expose the content of files located outside the git-annex repository or content from a private web server on localhost or the LAN. To perform this attack, the attacker needs to have control over one of the remotes of the victim's git-annex repository. The attack can be performed by running git-annex addurl --relaxed file:///etc/passwd and committing this to the repository. The attacker can also use URLs to private web servers. The issue was discovered by Joey Hess.

Recommendations To fix the issue, git-annex was updated to refuse to follow file:/// URLs and URLs pointing to private/local IP addresses by default. Two new configuration settings, annex.security.allowed-url-schemes and annex.security.allowed-ip-addresses, can relax this security policy. As a temporary workaround, consider disabling the git-annex assistant or restricting the use of git annex sync --content until the issue is resolved. Restrict access to the vulnerable git-annex repository to minimize the risk of exploitation. Avoid using git-annex addurl --relaxed with untrusted URLs. Developers of external special remotes are encouraged to prevent this attack by not following such HTTP redirects.

Note: The provided information does not specify the exact versions of git-annex that are affected by this issue. Therefore, it is recommended to update git-annex to the latest version available. If no specific fix is provided for a particular version, it is recommended to follow the general guidelines for securing git-annex repositories.