youlong chen created ZOOKEEPER-4994:
---------------------------------------
Summary: Authentication Credential Logging
Key: ZOOKEEPER-4994
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4994
Project: ZooKeeper
Issue Type: Bug
Components: server
Affects Versions: 3.9.4
Reporter: youlong chen
h2. Security Vulnerability Report: Authentication Credential Logging
*Code Location :*
{{org.apache.zookeeper.server.auth.KeyAuthenticationProvider}} (Lines 93-113)
*Description:*
The authentication provider logs sensitive authentication credentials (keys and
auth data) in plain text at line 99:
LOG.debug("KeyAuthenticationProvider handleAuthentication ({}, {}) ->
FAIL.\n", keyStr, authStr);
*Impact:*
# Authentication keys are exposed in debug logs during failed authentication
attempts
# Potential credential leakage through log files, log aggregation systems, or
monitoring tools
# Compliance framework violations (PCI-DSS, GDPR, etc.)
*Recommendation:*
Remove or redact sensitive parameters from the log statement:
LOG.debug("KeyAuthenticationProvider handleAuthentication -> FAIL (credentials
redacted)");
Alternatively, log only non-sensitive metadata (timestamp, source IP, attempt
count) without actual credential values.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
