Improper Handling of Database Credentials During Logging

Issue:	SI-70
Date:	Mar 15, 2024, 1:00:00 AM
Severity:	Medium
Requires Admin Access:	No
Fix Version:	24.03.22 / 22.03.15 LTS / 23.01.15 LTS / 23.10.24v8 LTS
Credit:	Internal Security Team
Description:	The username and password for PostgreSQL database connections appears in the log output visible in the System → Maintenance tool. OWASP Top 10 - A05) Insecure Design OWASP Top 10 - A05) Security Misconfiguration OWASP Top 10 - A09) Security Logging and Monitoring Failure https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N&version=3.1 AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N Risk score: 4.5
Mitigation:	Database credentials are prohibited from logging in the log output.
References	Affected versions: 22.02 and later. https://www.cve.org/CVERecord?id=CVE-2024-3165

Developer