| From: | Indrajeeth Deshmukh <bkindrajeeth(at)gmail(dot)com> |
|---|---|
| To: | David Rowley <dgrowleyml(at)gmail(dot)com> |
| Cc: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in Logs |
| Date: | 2025-02-18 12:52:36 |
| Message-ID: | CAAapt1i2Mf=S0FtPz8Z9RNkez=nP50AcYDVC7Dm8r=cskMn7tg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Namaste David,
Thanks for sharing the details. It looks like a valid issue and has not
been resolved yet. Currently, the solution is keeping the file remains
secure, but when it comes to SIEM monitoring, it will be a major concern.
Any thoughts on this?
Thanks,
Indrajeet Deshmukh
On Tue, Feb 18, 2025 at 5:51 PM David Rowley <dgrowleyml(at)gmail(dot)com> wrote:
> On Tue, 18 Feb 2025 at 22:51, PG Bug reporting form
> <noreply(at)postgresql(dot)org> wrote:
> > During the integration of PostgreSQL Database v15 logs into a SIEM
> > solution,I observed that user passwords are logged in plaintext when a
> user
> > is created using the database command. This poses a serious security
> risk as
> > credentials could be exposed to unauthorized users who have access to the
> > logs.
>
> > Steps to Reproduce:
>
> > CREATE USER indrajeet WITH PASSWORD 'indrajeet'
>
> There's some relevant discussion about this in [1], in particular, see [2].
>
> David
>
> [1]
> https://www.postgresql.org/message-id/flat/CALNJ-vRQB81F9Q9V%2BoDPsCTF-%2B0o_xR3%3D7_GAZfyg2sEaEfQJA%40mail.gmail.com#1f62ceb364243164a3d3a41530db055f
> [2]
> https://www.postgresql.org/message-id/1250706.1658622457%40sss.pgh.pa.us
>
--
Regards,
Indrajeet Deshmukh
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David G. Johnston | 2025-02-18 14:37:30 | Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in Logs |
| Previous Message | David Rowley | 2025-02-18 12:21:04 | Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in Logs |