—
PYSEC-2026-633
FTP backend for Duplicity Discloses Passwords to Process Listing
Details
The FTP backend for Duplicity before 0.4.9 sends the password as a command line argument when calling ncftp, which might allow local users to read the password by listing the process and its arguments.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2007-5201 [ADVISORY]
- https://bugzilla.redhat.com/show_bug.cgi?id=293081 [WEB]
- https://gitlab.com/duplicity/duplicity [PACKAGE]
- https://web.archive.org/web/20080118045107/https://duplicity.nongnu.org/CHANGELOG [WEB]
- https://web.archive.org/web/20200228164800/http://www.securityfocus.com/bid/27771 [WEB]
- https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00356.html [WEB]
- https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00445.html [WEB]
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=442840 [WEB]
- https://pypi.org/project/duplicity [PACKAGE]
- https://github.com/advisories/GHSA-wxcw-rqxc-hj85 [ADVISORY]