Tag
Kopia's HTTP server, when started without `--without-password`, accepts unauthenticated requests which can lead to arbitrary command execution as the Kopia process user via `-oProxyCommand` in `sshArguments` for SFTP backends with `externalSSH: true`. An attacker-supplied storage configuration is forwarded to `blob.NewStorage`, and the `sshArguments` are split on spaces and passed directly to `exec.CommandContext("ssh")`, resulting in command injection.