Headline
GHSA-j5vm-7qcc-2wwg: Kopia: Storage connection credentials written to console on "repository status" CLI command with JSON output
Impact
What kind of vulnerability is it? Who is impacted?
Storage credentials are written to the console.
Patches
Has the problem been patched? Yes, see #3589 What versions should users upgrade to?
- Any version after or including commit 1d6f852cd6534f4bea978cbdc85c583803d79f77
- No release has been created yet.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
- Be aware that
kopia repo status --jsonwill write the credentials to the output without scrubbing them. - Avoid executing
kopia repo statuswith the--jsonflag in an insecure environment where. - Avoid logging the output of the
kopia repo status --jsoncommand.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-j5vm-7qcc-2wwg
Kopia: Storage connection credentials written to console on “repository status” CLI command with JSON output
Low severity GitHub Reviewed Published Apr 9, 2024 in kopia/kopia • Updated Apr 10, 2024
Package
gomod github.com/kopia/kopia (Go)
Affected versions
< 0.16.0
Impact
What kind of vulnerability is it? Who is impacted?
Storage credentials are written to the console.
Patches
Has the problem been patched? Yes, see #3589
What versions should users upgrade to?
- Any version after or including commit 1d6f852cd6534f4bea978cbdc85c583803d79f77
- No release has been created yet.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
- Be aware that kopia repo status --json will write the credentials to the output without scrubbing them.
- Avoid executing kopia repo status with the --json flag in an insecure environment where.
- Avoid logging the output of the kopia repo status --json command.
References
- GHSA-j5vm-7qcc-2wwg
- kopia/kopia#3589
- kopia/kopia@1d6f852
Published to the GitHub Advisory Database
Apr 10, 2024
Last updated
Apr 10, 2024