git-annex S3 and Glacier Remotes Insecure Credential Storage Vulnerability

A vulnerability exists in git-annex versions from 3.20121126 prior to 5.20140919, specifically within the S3 and Glacier remotes. When the 'embedcreds=yes' option was enabled, and the remote utilized 'encryption=pubkey' or 'encryption=hybrid', the embedded AWS credentials were stored in the git repository in plaintext, rather than being properly encrypted. This flaw allows anyone with access to the git repository to extract the AWS credentials, posing a significant security risk.

Impact

Exposed AWS credentials in plaintext within the git repository, allowing for unauthorized access to AWS resources.

Remediation

Users should change their AWS credentials to prevent the exposed ones from being used. After updating the credentials, ensure a fixed version of git-annex is installed. The new credentials can be re-embedded into the repository in an encrypted format by setting the 'AWS_SECRET_ACCESS_KEY' and 'AWS_ACCESS_KEY_ID' environment variables and running 'git annex enableremote $remotename embedcreds=yes'. If the repository history contains unencrypted credentials, consider using 'git annex forget' to remove them, keeping in mind this will also delete other historical data.