GHSA-j5vm-7qcc-2wwg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j5vm-7qcc-2wwg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-j5vm-7qcc-2wwg/GHSA-j5vm-7qcc-2wwg.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-j5vm-7qcc-2wwg
- Aliases
- Published
- 2024-04-10T17:15:26Z
- Modified
- 2024-06-04T16:58:54.708860Z
- Severity
-
- 2.0 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Kopia: Storage connection credentials written to console on "repository status" CLI command with JSON output
- Details
-
Impact
What kind of vulnerability is it? Who is impacted?
Storage credentials are written to the console.
Patches
Has the problem been patched? Yes, see #3589 What versions should users upgrade to? - Any version after or including commit 1d6f852cd6534f4bea978cbdc85c583803d79f77 - No release has been created yet.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
- Be aware that
kopia repo status --jsonwill write the credentials to the output without scrubbing them. - Avoid executing
kopia repo statuswith the--jsonflag in an insecure environment where. - Avoid logging the output of the
kopia repo status --jsoncommand.
- Be aware that
- Database specific
{ "nvd_published_at": null, "github_reviewed": true, "github_reviewed_at": "2024-04-10T17:15:26Z", "severity": "LOW", "cwe_ids": [ "CWE-200" ] }- References
Affected packages
Go / github.com/kopia/kopia
Package
- Name
- github.com/kopia/kopia
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/kopia/kopia