BUG #18817: Security Bug Report: Plaintext Password Exposure in Logs

The following bug has been logged on the website:

Bug reference: 18817
Logged by: Indrajeet Deshmukh
Email address: bkindrajeeth(at)gmail(dot)com
PostgreSQL version: 15.0
Operating system: Linux
Description:

Namaste Team,

During the integration of PostgreSQL Database v15 logs into a SIEM
solution,I observed that user passwords are logged in plaintext when a user
is created using the database command. This poses a serious security risk as
credentials could be exposed to unauthorized users who have access to the
logs.

Vendor: PostgreSQL
Product: PostgreSQL Database
Version: 15
Severity: High
Issue Type: Security Vulnerability

Steps to Reproduce:
Open the PostgreSQL Database CLI or execute the command via a script.
Run the following command to create a new user:

CREATE USER indrajeet WITH PASSWORD 'indrajeet'

Check the database logs (/var/lib/pgsql/data/log). Below is the JSON log
generated when I used indrajeet as user name and indrajeet as password.

{"timestamp":"2025-02-18 08:11:38.557
UTC","user":"postgres","dbname":"postgres","pid":6069,"remote_host":"ip-100-66-2-217.ec2.internal","remote_port":53964,"session_id":"67b44074.17b5","line_num":4,"ps":"idle","session_start":"2025-02-18
08:10:28
UTC","vxid":"4/29","txid":0,"error_severity":"LOG","message":"statement:
CREATE USER indrajeet WITH PASSWORD
'indrajeet';","application_name":"psql","backend_type":"client
backend","query_id":0}

Expected Behavior: The password should be masked or excluded from logs to
prevent exposure.

Security Impact:
Confidentiality Violation: Anyone with access to logs can view user
passwords.
Risk of Credential Theft: Attackers or unauthorized users can leverage
exposed credentials for privilege escalation or lateral movement.
Compliance Issues: This may violate security policies and regulations (e.g.,
GDPR, PCI-DSS, ISO 27001).

Please do let me know if you need additional details from my side.

Thanks,
Indrajeet Deshmukh