Descriptionmake_catalog_backup in Bacula 2.2.5, and probably earlier, sends a MySQL password as a command line argument, and sometimes transmits cleartext e-mail containing this command line, which allows context-dependent attackers to obtain the password by listing the process and its arguments, or by sniffing the network.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs446809

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bacula (PTS)bullseye9.6.7-3fixed
sid, trixie13.0.4-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


this script needs the default database password and name needs to be set which
would be a bigger problem in a non-trusted environment. Apart from
this is documented in the bacula documentation
Since bacula 5.0.0 "" is used by default, which is not affected

Search for package or bug name: Reporting problems