MyHoard Backup Encryption Key Logging Vulnerability

A vulnerability in MyHoard, a daemon for managing MySQL backups, allows the backup encryption key to be logged in plain text. This issue affects versions 1.0.1 through 1.2.9. The vulnerability arises because, in certain cases, MyHoard logs complete backup information, including sensitive encryption keys. While version 1.3.0 addresses this issue, users of earlier versions may inadvertently expose encryption keys in log files.

Impact

Logging of backup encryption keys in plain text, creating a risk of unauthorized access to encrypted backups.

Reproduction

The vulnerability can be reproduced by creating a backup with MyHoard version 1.0.1 through 1.2.9. In some cases, the backup logs will include the encryption key in plain text. This can be verified by checking the log files after the backup process.

Remediation

Users can upgrade to MyHoard version 1.3.0 or later, which addresses this vulnerability. Alternatively, logs can be directed to /dev/null to prevent sensitive information from being recorded.