DirectorySecurity advisories
Sign in

Security advisories

GHSA-j5vm-7qcc-2wwg

Published

Last updated

https://github.com/advisories/GHSA-j5vm-7qcc-2wwg

Severity

2.0

Low

CVSS V3

Description

Kopia: Storage connection credentials written to console on "repository status" CLI command with JSON output. ### Impact

What kind of vulnerability is it? Who is impacted?

Storage credentials are written to the console.

Patches

Has the problem been patched? Yes, see #3589 What versions should users upgrade to?

  • Any version after or including commit 1d6f852cd6534f4bea978cbdc85c583803d79f77
  • No release has been created yet.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

  • Be aware that kopia repo status --json will write the credentials to the output without scrubbing them.
  • Avoid executing kopia repo status with the --json flag in an insecure environment where.
  • Avoid logging the output of the kopia repo status --json command.

References

  • https://github.com/kopia/kopia/security/advisories/GHSA-j5vm-7qcc-2wwg
  • https://github.com/kopia/kopia/pull/3589
  • https://github.com/kopia/kopia/commit/1d6f852cd6534f4bea978cbdc85c583803d79f77
  • https://github.com/kopia/kopia

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore.

Products

Chainguard Images

Developer

Open sourceDocs

Resources

Unchained blogChainguard LabsCustomer storiesScannersSecurityEducation

Company

AboutNewsroomCareersChainguard loveLegalContact

Follow

TwitterGitHubLinkedInTikTok

© 2024 Chainguard, Inc.