By default, Persist Security Info is set to false in a connection string. According to the docs:
When set to false or no (strongly recommended), security-sensitive information, such as the password, is not returned as part of the connection string if the connection is open or has ever been in an open state.
However, by cloning an existing connection, the password can be retrieved from an open connection, violating the expectations around Persist Security Info=false. This represents a potential information disclosure vulnerability, although it seems likely that any untrusted code that could call this method could also just use reflection to access this private data.
A possible problem might be if a database access layer automatically logged the connection string when (for example) an exception occurred. Even still, this would likely only be logged for an open connection, which would redact the password from the connection string (whether cloned or not).
The text was updated successfully, but these errors were encountered: