You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the code here, the lwa params containing the accept_grant_code along with client_secret will be output into the log.
Details
Information used for alexa authentication will output to log regradless of whether the program is running on debug mode or not. Based on the condition checking here, lwa parameters should only output when the program is running as debug mode. This type of issue is described in CWE-532: Insertion of Sensitive Information into Log File
A malicious actor could collect the plaintext sensitive information via the log.
What version of Home Assistant Core has the issue?
2024.1.2
What was the last working version of Home Assistant Core?
No response
What type of installation are you running?
Home Assistant Core
Integration causing the issue
No response
Link to integration documentation on our website
No response
Diagnostics information
No response
Example YAML snippet
No response
Anything in the logs that might be useful for us?
No response
Additional information
No response
The text was updated successfully, but these errors were encountered:
Hey there @home-assistant/cloud, @ochlocracy, @jbouwh, mind taking a look at this issue as it has been labeled with an integration (alexa) you are listed as a code owner for? Thanks!
Code owner commands
Code owners of alexa can trigger bot actions by commenting:
@home-assistant close Closes the issue.
@home-assistant rename Awesome new title Renames the issue.
@home-assistant reopen Reopen the issue.
@home-assistant unassign alexa Removes the current integration label and assignees on the issue, add the integration domain after the command.
@home-assistant add-label needs-more-information Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue.
@home-assistant remove-label needs-more-information Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.
The problem
Summary
In the code here, the lwa params containing the
accept_grant_code
along withclient_secret
will be output into the log.Details
Information used for alexa authentication will output to log regradless of whether the program is running on debug mode or not. Based on the condition checking here, lwa parameters should only output when the program is running as debug mode. This type of issue is described in CWE-532: Insertion of Sensitive Information into Log File
A malicious actor could collect the plaintext sensitive information via the log.
What version of Home Assistant Core has the issue?
2024.1.2
What was the last working version of Home Assistant Core?
No response
What type of installation are you running?
Home Assistant Core
Integration causing the issue
No response
Link to integration documentation on our website
No response
Diagnostics information
No response
Example YAML snippet
No response
Anything in the logs that might be useful for us?
No response
Additional information
No response
The text was updated successfully, but these errors were encountered: