Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Duplicate
Priority: Critical
Fix Version/s: 2.2.0
Affects Version/s: 2.1.0
Component/s: ns_server, tools
Security Level: Public
Labels:
- customer

Description

At present cbcollect_info the output contains clear text of password. This is a potential security hole for cluster. Here are some examples that contain the clear text password:

(The password in the examples is couchbase)

couchbase.log: {creds,[{"Administrator",[

{password,"couchbase"}

]}]}]},
diag.log:['curl', '-sS', '-u', 'Administrator:couchbase', 'http://127.0.0.1:8091/diag?noLogs=1']
diag.log: {creds,[{"Administrator",[

{password,'filtered-out'}]}]}]},
diag.log: {creds,[{"Administrator",[{password,'filtered-out'}

]}]}]},
diag.log: {creds,[{"Administrator",[

{password,'filtered-out'}]}]}]},
diag.log: {creds,[{"Administrator",[{password,'filtered-out'}

]}]}]},

The diag.log is trying to filter out the clear text password. But the password is still showing in the curl command.

Attachments

Issue Links

duplicates

MB-5904 couchbase logs/diags/collectinfos should not contain user/password credentials

Closed

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Aleksey Kondratenko (Inactive)

Reporter:: Larry Liu [X] (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 24/Jul/13 5:17 PM

Updated:: 07/Aug/13 12:07 AM

Resolved:: 02/Aug/13 1:42 AM

Gerrit Reviews

There are no open Gerrit changes

cbcollect_info output should not contain clear text password

Details

Description

Attachments

Issue Links

Gerrit Reviews

Activity

People

Dates

Gerrit Reviews

PagerDuty