Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-2733

Remove System Information Leak in Authentication.java

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • None
    • 0.7.3, 0.8.0
    • security
    • None

    Description

      An information leak occurs when system data or debugging information leaves the program through an output stream or logging function.
      In the file Authentication.java,

      Line 137: LOG.debug("Encrypted user key is {}", userKey);
      Line 148: LOG.debug("IV is {}, IV length is {}", initVector, initVector.length());
      

      These lines may print information which can reveal some important data to user making it vulnerable to attacks, we should not log this sensitive information.

      Attachments

        Issue Links

          Activity

            People

              yanboliang Yanbo Liang
              yanboliang Yanbo Liang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: