GHSA-J5VM-7QCC-2WWG
Vulnerability from github – Published: 2024-04-10 17:15 – Updated: 2026-04-27 14:18
VLAI
Summary
Kopia: Storage connection credentials written to console on "repository status" CLI command with JSON output
Details
Impact
What kind of vulnerability is it? Who is impacted?
Storage credentials are written to the console.
Patches
Has the problem been patched? Yes, see #3589 What versions should users upgrade to? - Any version after or including commit 1d6f852cd6534f4bea978cbdc85c583803d79f77 - No release has been created yet.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
- Be aware that
kopia repo status --jsonwill write the credentials to the output without scrubbing them. - Avoid executing
kopia repo statuswith the--jsonflag in an insecure environment where. - Avoid logging the output of the
kopia repo status --jsoncommand.
Severity
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/kopia/kopia"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.16.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-10T17:15:26Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\n\n_What kind of vulnerability is it? Who is impacted?_\n\nStorage credentials are written to the console.\n\n### Patches\n\n_Has the problem been patched?_ Yes, see #3589\n_What versions should users upgrade to?_\n- Any version after or including commit 1d6f852cd6534f4bea978cbdc85c583803d79f77\n- No release has been created yet.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n- Be aware that `kopia repo status --json` will write the credentials to the output without scrubbing them.\n- Avoid executing `kopia repo status` with the `--json` flag in an insecure environment where.\n- Avoid logging the output of the `kopia repo status --json` command.",
"id": "GHSA-j5vm-7qcc-2wwg",
"modified": "2026-04-27T14:18:23Z",
"published": "2024-04-10T17:15:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kopia/kopia/security/advisories/GHSA-j5vm-7qcc-2wwg"
},
{
"type": "WEB",
"url": "https://github.com/kopia/kopia/pull/3589"
},
{
"type": "WEB",
"url": "https://github.com/kopia/kopia/commit/1d6f852cd6534f4bea978cbdc85c583803d79f77"
},
{
"type": "PACKAGE",
"url": "https://github.com/kopia/kopia"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Kopia: Storage connection credentials written to console on \"repository status\" CLI command with JSON output"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…