Описание
Para Server Logs Sensitive Information
CWE ID: CWE-532 (Insertion of Sensitive Information into Log File) CVSS: 7.5 (High) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Component: Para Server Initialization Logging
Version: Para v1.50.6
File Path: para-1.50.6/para-server/src/main/java/com/erudika/para/server/utils/HealthUtils.java
Vulnerable Line(s): Line 132 (via logger.info(...) with root credentials)
Technical Details:
The vulnerability is located in the HealthUtils.java file, where a failed configuration file write triggers the following logging statement:
This exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes.
Пакеты
com.erudika:para-server
< 1.50.8
1.50.8
Связанные уязвимости
Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes. Version 1.50.8 fixes the issue.