Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in Logs
| От | David G. Johnston |
|---|---|
| Тема | Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in Logs |
| Дата | |
| Msg-id | CAKFQuwZ5WbsxVd1K_jm=nyPqNZ7K99X+2q_aSD1ukDMNobcuVA@mail.gmail.com обсуждение исходный текст |
| Ответ на | BUG #18817: Security Bug Report: Plaintext Password Exposure in Logs (PG Bug reporting form <noreply@postgresql.org>) |
| Список | pgsql-bugs |
On Tuesday, February 18, 2025, PG Bug reporting form <noreply@postgresql.org> wrote:
The following bug has been logged on the website:
Bug reference: 18817
Logged by: Indrajeet Deshmukh
Email address: bkindrajeeth@gmail.com
PostgreSQL version: 15.0
Operating system: Linux
Description:
Namaste Team,
During the integration of PostgreSQL Database v15 logs into a SIEM
solution,I observed that user passwords are logged in plaintext when a user
is created using the database command. This poses a serious security risk as
credentials could be exposed to unauthorized users who have access to the
logs.
Vendor: PostgreSQL
Product: PostgreSQL Database
Version: 15
Severity: High
Issue Type: Security Vulnerability
Steps to Reproduce:
Open the PostgreSQL Database CLI or execute the command via a script.
Run the following command to create a new user:
CREATE USER indrajeet WITH PASSWORD 'indrajeet'
The long-standing position here is that the encrypted password being found in the logs is not a security issue needing fixing. It’s maybe a bit unfortunate that we provide both secure and insecure methods for setting or changing a password but we do. Use the secure methods. Which means compute the encrypted password off-server and send that instead of the clear text version.
David J.
В списке pgsql-bugs по дате отправления: