CVE-2021-38599: 
NixOS vulnerability analysis and mitigation

WAL-G before version 1.1, when using a non-libsodium build (such as the official binary releases published as GitHub Releases), silently ignores the libsodium encryption key and uploads cleartext backups. This vulnerability, identified as CVE-2021-38599, was discovered in 2021 and represents a Principle of Least Surprise violation as users likely intended to encrypt all file activity (CVE Details).

The vulnerability has a CVSS v3.1 Base Score of 7.5 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue specifically exists in the handling of libsodium encryption keys, where the application fails to properly enforce encryption when compiled without libsodium support. The vulnerability is classified under CWE-754 (Improper Check for Unusual or Exceptional Conditions) (NVD).

The primary impact of this vulnerability is that backup files intended to be encrypted are processed and uploaded as plaintext, potentially exposing sensitive data. This creates a significant security risk as users believe their backups are encrypted when they are actually stored in cleartext (GitHub PR).

The vulnerability has been fixed in WAL-G version 1.1 and later. The fix includes enabling libsodium in GitHub release builds and adding checks to exit with failure if libsodium encryption is requested but not supported in the build. Users should upgrade to version 1.1 or later to ensure proper encryption functionality (GitHub Commit).