CVE-2007-5201 — FTP backend for Duplicity Discloses Passwords to Process Listing

Description

The FTP backend for Duplicity before 0.4.9 sends the password as a command line argument when calling ncftp, which might allow local users to read the password by listing the process and its arguments.

How to fix CVE-2007-5201

To remediate CVE-2007-5201, upgrade the affected package to a fixed version below.

Debian/duplicity—upgrade to 0.4.3-2 or later
PyPI/duplicity—upgrade to 0.4.9 or later

Is CVE-2007-5201 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.4.3-2
from 0, < 0.4.9

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2007-5201
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2007-5201
PATCHgitlab.com/duplicity/duplicity
WEBbugs.debian.org/cgi-bin/bugreport.cgi?bug=442840
WEB