2

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-j5vm-7qcc-2wwg

EPSS Score

CWE

CWE-200

Published

4/10/2024

Updated

4/10/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-j5vm-7qcc-2wwg

GHSA-j5vm-7qcc-2wwg: Kopia: Storage connection credentials written to console on "repository status" CLI command with JSON output

Impact

What kind of vulnerability is it? Who is impacted?

Storage credentials are written to the console.

Patches

Has the problem been patched? Yes, see #3589 What versions should users upgrade to?

Any version after or including commit 1d6f852cd6534f4bea978cbdc85c583803d79f77
No release has been created yet.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Be aware that kopia repo status --json will write the credentials to the output without scrubbing them.
Avoid executing kopia repo status with the --json flag in an insecure environment where.
Avoid logging the output of the kopia repo status --json command.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-j5vm-7qcc-2wwg

GHSA-j5vm-7qcc-2wwg:

2

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-j5vm-7qcc-2wwg

EPSS Score

CWE

CWE-200

Published

4/10/2024

Updated

4/10/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/kopia/kopia	go	< 0.16.0	0.16.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from inadequate scrubbing of sensitive data in nested structures. The pre-patch version of ScrubSensitiveData only performed shallow scrubbing, missing fields in nested objects. The commit 1d6f852 added recursive handling for pointers, structs, and interfaces, and the test changes demonstrate that nested fields with 'sensitive' tags were previously not scrubbed. This function is directly responsible for data redaction in JSON outputs, making it the clear vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

2

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-j5vm-7qcc-2wwg: Kopia: Storage connection credentials written to console on "repository status" CLI command with JSON output

Impact

Patches

Workarounds

GHSA-j5vm-7qcc-2wwg:

2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

2

2

Basic Information

Basic Information

GHSA-j5vm-7qcc-2wwg: Kopia: Storage connection credentials written to console on "repository status" CLI command with JSON output

Impact

Patches

Workarounds

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI