CVE-2007-5626Cleartext Transmission of Sensitive Info in Bacula

CWE-319Cleartext Transmission of Sensitive InfoCWE-311Missing Encryption of Sensitive Data7 documents6 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 89.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
BaculaDebian Bacula
Timeline
PublishedOct 23
Latest updateMay 1

Description

make_catalog_backup in Bacula 2.2.5, and probably earlier, sends a MySQL password as a command line argument, and sometimes transmits cleartext e-mail containing this command line, which allows context-dependent attackers to obtain the password by listing the process and its arguments, or by sniffing the network.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

debiandebian/bacula< bacula 5.0.0-1 (bookworm)
Debianbacula/bacula< 5.0.0-1+3
NVDbacula/bacula2.2.5

🔴Vulnerability Details

2
GHSA
GHSA-2r7q-8h3w-q3pc: make_catalog_backup in Bacula 22022-05-01
OSV
CVE-2007-5626: make_catalog_backup in Bacula 22007-10-23

📋Vendor Advisories

1
Debian
CVE-2007-5626: bacula - make_catalog_backup in Bacula 2.2.5, and probably earlier, sends a MySQL passwor...2007

📐Framework References

2
CWE
Missing Encryption of Sensitive Data
CWE
Cleartext Transmission of Sensitive Information

💬Community

1
Bugzilla
CVE-2007-5626 bacula: MySQL Director Password Disclosure Weakness2008-07-24
CVE-2007-5626 — Debian Bacula vulnerability | cvebase