CVE-2007-5626

Name of the Vulnerable Software and Affected Versions Bacula version 2.2.5

Description The issue allows context-dependent attackers to obtain a MySQL password. This is possible because the make catalog backup function in Bacula sends the MySQL password as a command line argument. In some cases, it also transmits cleartext e-mail containing this command line, which can be exploited by listing the process and its arguments or by sniffing the network.

Recommendations For Bacula version 2.2.5, consider modifying the make catalog backup function to handle the MySQL password securely, such as by using environment variables or a secure configuration file, to prevent it from being exposed as a command line argument or in cleartext e-mail. As a temporary workaround, restrict access to the process list and network traffic to minimize the risk of exploitation.