CVE-2014-6274: 
Linux Debian vulnerability analysis and mitigation

git-annex had a bug in the S3 and Glacier remotes where if embedcreds=yes was set, and the remote used encryption=pubkey or encryption=hybrid, the embedded AWS credentials were stored in the git repository in (effectively) plaintext, not encrypted as they were supposed to be. This vulnerability affects git-annex versions from 3.20121126 before 5.20140919 (Git Annex).

The vulnerability occurs when using S3 and Glacier remotes with embedcreds=yes configuration along with encryption=pubkey or encryption=hybrid settings. Instead of properly encrypting the AWS credentials as intended, they were stored in plaintext within the git repository. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (CISA-ADP).

The impact of this vulnerability is that anyone who obtains a copy of the affected git repository can extract the AWS credentials from it, potentially gaining unauthorized access to the associated AWS resources and services (Git Annex).

Several mitigation options are available: 1) Change AWS credentials and re-embed them using a fixed version of git-annex, 2) Fix the problem and remove the history of the git-annex branch using 'git annex forget', though this won't affect existing clones, 3) If you're the only one with repository access, you could leave it as-is, though this is only as secure as using encryption=shared. To re-embed credentials securely, set AWSSECRETACCESSKEY and AWSACCESSKEYID environment variables and run 'git annex enableremote $remotename embedcreds=yes' with a patched version (Git Annex).