Описание
Para Inserts Sensitive Information into Log File for Facebook authentication
CWE ID: CWE-532 (Insertion of Sensitive Information into Log File) CVSS: 6.2 (Medium) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Component: Facebook Authentication Logging Version: Para v1.50.6 File Path: para-1.50.6/para-server/src/main/java/com/erudika/para/server/security/filters/FacebookAuthFilter.java Vulnerable Line(s): Line 184 (logger.warn(...) with raw access token)
Technical Details:
The vulnerability is located in FacebookAuthFilter.java, where a failed request to Facebook’s user profile endpoint triggers the following log statement:
Here, PROFILE_URL is a constant:
This results in the full request URL being logged, including the user's access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure.
Пакеты
com.erudika:para-server
< 1.50.8
1.50.8
Связанные уязвимости
Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 in `FacebookAuthFilter.java` results in a full request URL being logged during a failed request to a Facebook user profile. The log includes the user's access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure. Version 1.50.8 fixes the issue.