CVE 2007-5201
The FTP backend for Duplicity before 0.4.9 sends the password as a command line argument when calling ncftp, which might allow local users to read the password by listing the process and its arguments.
See the 
CVE page on Mitre.org
for more details.
