23-05-17 Potential Leak of Sensitive Information through Logging

Owned by Ondřej Tesař
Aug 26, 2024
1 min read

Description

When a connection is deployed or a list of current connections fetched, sensitive information about the connection (username, server, password) is printed in the log level INFO. Any user with access to the instance logs can see and use the connection information.

Affected IM Versions

2.3.0 – 3.4.0

Attack Vectors

  1. Create a provisioned instance X.

  2. In PlatformManager, get access rights to the account Y where the instance X is.

  3. Deploy a connection pricefx to the instance X.

  4. Go to Log History tab of the instance X and set a time range for logs to last 30 minutes.

  5. Sensitive information is shown in the logs.

Recommendation

  • IMs 2.3.0 – 2.6.6 – Upgrade immediately to version 2.6.7 (LTS) where this issue was fixed.

  • IMs 3.0.0 – 3.4.0 – Upgrade immediately to version 3.5.2 or directly to 3.7.3, which is LTS version. These versions no longer print sensitive information to the log.

 

IntegrationManager version 5.8.0