Visible password at sensu-client logs after restart #1804
Comments
This is sensu-settings issue. We need to apply redact_sensitive on this line: https://github.com/sensu/sensu-settings/blob/master/lib/sensu/settings/loader.rb#L169 |
Thank you for the reply. As per the analysis, redact_sensitive method is taken care during printing. Please note that the issue occurs only for multiple rabbitmq configuration. I would like to request a CVE to be assigned for the issue. |
Thank you for reporting this issue. A fix has been merged to master and we are working on releasing Sensu 1.2.1 which will contain the fix. |
@amdprophet thanks for the quick turnaround I think it's valid that we should provide a CVE for it. Who is the most appropriate person to register with mitre? |
@majormoses @pdebashis we have filed for a CVE, currently waiting for one to be assigned. |
@majormoses @pdebashis we've been issued CVE-2018-1000060 to cover this vulnerability. |
Configuring single rabbitmq, sensu is able to redact the password in client logs after restart.
But when configuring multiple rabbitmqs, plain text password is visible.
Logs for single rabbitmq config :
Logs for multiple rabbitmq config :
This issue seems to occur because multilpe rabbitmq config is stored in a nested array format. Sensu is not able to look up the password keyword inside the hash, inside the array and hence, not able to redact the password in logs.
The text was updated successfully, but these errors were encountered: