High severityNVD Advisory· Published Feb 8, 2018· Updated Aug 5, 2024

CVE-2017-15914

Description

Borg servers 1.1.x before 1.1.3 allow remote users to override repository access controls due to incorrect implementation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Borg servers 1.1.x before 1.1.3 allow remote users to override repository access controls due to incorrect implementation.

Vulnerability

A flaw in the access control implementation in Borg Backup servers allows remote users to bypass intended repository restrictions. The vulnerability affects Borg versions 1.1.x prior to 1.1.3. The incorrect implementation enables unauthorized operations on the repository, potentially compromising backup data integrity and confidentiality. [1][3]

Exploitation

An attacker must have network access to the Borg server and be able to authenticate or interact with the server's exposed interface. The exact steps to trigger the flaw are not detailed in the available references, but the issue stems from the incorrect handling of access controls, allowing a remote user to override restrictions that should prevent certain operations. [1][3]

Impact

Successful exploitation allows a remote attacker to override repository access controls, potentially leading to unauthorized reading, writing, or deletion of backup archives. This could result in data loss, exposure of sensitive information, or corruption of the backup repository. [1][3]

Mitigation

Upgrade to Borg version 1.1.3 (released 2017-11-27) or later, which contains the fix for this vulnerability. No workaround is documented in the available references. Users should ensure all Borg server instances are updated to the patched version. [1][3]

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
borgbackupPyPI	>= 1.1.0b1, < 1.1.3	1.1.3

Affected products

ghsa-coords
pkg:pypi/borgbackup
Range: >= 1.1.0b1, < 1.1.3

Patches

75854c1243b2

security: fix enforcement of --restrict-to-path in args processing

https://github.com/borgbackup/borgThomas WaldmannNov 26, 2017via ghsa

commit

2 files changed · +13 −0

src/borg/archiver.py+1 −0 modified

@@ -3806,6 +3806,7 @@ def get_args(self, argv, cmd):
                 return forced_result
             # we only take specific options from the forced "borg serve" command:
             result.restrict_to_paths = forced_result.restrict_to_paths
+            result.restrict_to_repositories = forced_result.restrict_to_repositories
             result.append_only = forced_result.append_only
         return result

src/borg/testsuite/archiver.py+12 −0 modified

@@ -3546,10 +3546,22 @@ def test_get_args():
     assert args.restrict_to_paths == ['/p1', '/p2']
     assert args.umask == 0o027
     assert args.log_level == 'info'
+    # similar, but with --restrict-to-repository
+    args = archiver.get_args(['borg', 'serve', '--restrict-to-repository=/r1', '--restrict-to-repository=/r2', ],
+                             'borg serve --info --umask=0027')
+    assert args.restrict_to_repositories == ['/r1', '/r2']
     # trying to cheat - break out of path restriction
     args = archiver.get_args(['borg', 'serve', '--restrict-to-path=/p1', '--restrict-to-path=/p2', ],
                              'borg serve --restrict-to-path=/')
     assert args.restrict_to_paths == ['/p1', '/p2']
+    # trying to cheat - break out of repository restriction
+    args = archiver.get_args(['borg', 'serve', '--restrict-to-repository=/r1', '--restrict-to-repository=/r2', ],
+                             'borg serve --restrict-to-repository=/')
+    assert args.restrict_to_repositories == ['/r1', '/r2']
+    # trying to cheat - break below repository restriction
+    args = archiver.get_args(['borg', 'serve', '--restrict-to-repository=/r1', '--restrict-to-repository=/r2', ],
+                             'borg serve --restrict-to-repository=/r1/below')
+    assert args.restrict_to_repositories == ['/r1', '/r2']
     # trying to cheat - try to execute different subcommand
     args = archiver.get_args(['borg', 'serve', '--restrict-to-path=/p1', '--restrict-to-path=/p2', ],
                              'borg init --encryption=repokey /')

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-8q8v-28rm-qw4wghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-15914ghsaADVISORY
borgbackup.readthedocs.io/en/stable/changes.htmlghsax_refsource_CONFIRMWEB
github.com/borgbackup/borg/commit/75854c1243b29ec5558be6fdefe365cd438abb4cghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/borgbackup/PYSEC-2018-105.yamlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000