{"id":"HSEC-2023-0013","summary":"git-annex plaintext storage of embedded credentials on encrypted remotes","details":"# *git-annex* plaintext storage of embedded credentials on encrypted remotes\n\n*git-annex* had a bug in the **S3** and **Glacier** remotes where if\n`embedcreds=yes` was set, and the remote used `encryption=pubkey` or\n`encryption=hybrid`, the embedded AWS credentials were stored in the\nGit repository in (effectively) plaintext, not encrypted as they\nwere supposed to be.\n\nThat means that anyone who gets a copy of the Git repository can\nextract the AWS credentials from it.  Which would be bad.\n\nA remote with this problem cannot be enabled using `git annex\nenableremote`. Old versions of *git-annex* will fail with a GPG\nerror; the current version will fail with a pointer to this web\npage.\n\n## Remediation\n\nIf your repository has this problem, chose from one of these\napproaches to deal with it:\n\n1. Change your AWS credentials, so the ones stored in the clear in\n   git won't be used.\n\n   After changing the credentials, make sure you have a fixed\n   version of git-annex, and you can then re-embed the new creds\n   into the repository, encrypted this time, by setting the\n   `AWS_SECRET_ACCESS_KEY` and `AWS_ACCESS_KEY_ID` environment\n   variables, and running `git annex enableremote $remotename\n   embedcreds=yes`.\n\n2. Fix the problem and then remove the history of the *git-annex*\n   branch of the repository.\n\n   Make sure you have a fixed version of *git-annex*, and force\n   *git-annex* to rewrite the embedded creds, with encryption this\n   time, by setting by setting the `AWS_SECRET_ACCESS_KEY` and\n   `AWS_ACCESS_KEY_ID` environment variables, and running `git annex\n   enableremote $remotename embedcreds=yes`.\n\n   Then, to get rid of old versions of the *git-annex* branch that\n   still contains the creds in cleartext, you can use `git annex\n   forget`; note that it will remove other historical data too.\n\n   Keep in mind that this will not necessarily delete data from\n   clones you do not control.\n\n3. If you're sure that you're the only one who has access to the\n   repository, you could decide to leave it as-is.  It's no more\n   insecure than if you had used `encryption=shared` in the first\n   place when setting it up.\n","aliases":["CVE-2014-6274"],"modified":"2025-11-14T18:15:39.358247Z","published":"2025-11-14T14:45:34Z","database_specific":{"osvs":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export","repository":"https://github.com/haskell/security-advisories","home":"https://github.com/haskell/security-advisories"},"references":[{"type":"ADVISORY","url":"https://git-annex.branchable.com/security/CVE-2014-6274/"},{"type":"ARTICLE","url":"https://git-annex.branchable.com/upgrades/insecure_embedded_creds/"}],"affected":[{"package":{"name":"git-annex","ecosystem":"Hackage","purl":"pkg:hackage/git-annex"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.20110401"},{"fixed":"5.20140919"}]}],"versions":["3.20110702","3.20110702.2","3.20110705","3.20110707","3.20110819","3.20110902","3.20110906","3.20110915","3.20110928","3.20111011","3.20111122","3.20111203","3.20111211","3.20111231","3.20120113","3.20120115","3.20120116","3.20120123","3.20120227","3.20120229","3.20120230","3.20120309","3.20120315","3.20120405","3.20120406","3.20120418","3.20120430","3.20120511","3.20120522","3.20120605","3.20120611","3.20120614","3.20120615","3.20120624","3.20120629","3.20120721","3.20120807","3.20120825","3.20120924","3.20121001","3.20121009","3.20121010","3.20121016","3.20121017","3.20121112","3.20121126","3.20121127","3.20121127.1","3.20121211","3.20130102","3.20130105","3.20130107","3.20130114","3.20130124","3.20130207","3.20130216.1","4.20130227","4.20130314","4.20130323","4.20130405","4.20130417","4.20130501","4.20130501.1","4.20130516","4.20130521","4.20130521.1","4.20130521.2","4.20130601","4.20130627","4.20130709","4.20130723","4.20130802","4.20130815","4.20130827","4.20130909","4.20130920","4.20130927","4.20131002","4.20131024","4.20131101","4.20131106","5.20131118","5.20131120","5.20131127","5.20131130","5.20131213","5.20131221","5.20131230","5.20140107","5.20140108","5.20140116","5.20140127","5.20140129","5.20140210","5.20140221","5.20140227","5.20140306","5.20140320","5.20140402","5.20140405","5.20140412","5.20140421","5.20140517","5.20140529","5.20140606","5.20140613","5.20140707","5.20140709","5.20140717","5.20140817","5.20140831","5.20140915"],"database_specific":{"source":"https://github.com/haskell/security-advisories/blob/generated/osv-export/2023/HSEC-2023-0013.json","osv":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2023/HSEC-2023-0013.json","human_link":"https://github.com/haskell/security-advisories/tree/main/advisories/published/2023/HSEC-2023-0013.md"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}]}],"schema_version":"1.7.3"}