Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qNXZtLTdxY2MtMnd3Z84AA63w

Kopia: Storage connection credentials written to console on "repository status" CLI command with JSON output

Impact

What kind of vulnerability is it? Who is impacted?

Storage credentials are written to the console.

Patches

Has the problem been patched? Yes, see #3589
What versions should users upgrade to?

Any version after or including commit 1d6f852cd6534f4bea978cbdc85c583803d79f77
No release has been created yet.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Be aware that kopia repo status --json will write the credentials to the output without scrubbing them.
Avoid executing kopia repo status with the --json flag in an insecure environment where.
Avoid logging the output of the kopia repo status --json command.

Permalink: https://github.com/advisories/GHSA-j5vm-7qcc-2wwg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qNXZtLTdxY2MtMnd3Z84AA63w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 23 days ago
Updated: 23 days ago

CVSS Score: 2.0
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

Identifiers: GHSA-j5vm-7qcc-2wwg
References:

Repository: https://github.com/kopia/kopia
Blast Radius: 3.2

Affected Packages

go:github.com/kopia/kopia

Dependent packages: 33
Dependent repositories: 39
Downloads:
Affected Version Ranges: < 0.16.0
Fixed in: 0.16.0
All affected versions: 0.3.0, 0.4.0, 0.5.2, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.12.0, 0.12.1, 0.13.0, 0.14.0, 0.14.1, 0.15.0
All unaffected versions: 0.16.0, 0.16.1, 0.17.0