You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
By default, Persist Security Info is set to false in a connection string. According to the docs:
When set to false or no (strongly recommended), security-sensitive information, such as the password, is not returned as part of the connection string if the connection is open or has ever been in an open state.
However, by cloning an existing connection, the password can be retrieved from an open connection, violating the expectations around Persist Security Info=false. This represents a potential information disclosure vulnerability, although it seems likely that any untrusted code that could call this method could also just use reflection to access this private data.
A possible problem might be if a database access layer automatically logged the connection string when (for example) an exception occurred. Even still, this would likely only be logged for an open connection, which would redact the password from the connection string (whether cloned or not).
The text was updated successfully, but these errors were encountered:
By default,
Persist Security Info
is set tofalse
in a connection string. According to the docs:However, by cloning an existing connection, the password can be retrieved from an open connection, violating the expectations around
Persist Security Info=false
. This represents a potential information disclosure vulnerability, although it seems likely that any untrusted code that could call this method could also just use reflection to access this private data.A possible problem might be if a database access layer automatically logged the connection string when (for example) an exception occurred. Even still, this would likely only be logged for an open connection, which would redact the password from the connection string (whether cloned or not).
The text was updated successfully, but these errors were encountered: