Details
Description
At present cbcollect_info the output contains clear text of password. This is a potential security hole for cluster. Here are some examples that contain the clear text password:
(The password in the examples is couchbase)
couchbase.log: {creds,[{"Administrator",[
{password,"couchbase"}]}]}]},
diag.log:['curl', '-sS', '-u', 'Administrator:couchbase', 'http://127.0.0.1:8091/diag?noLogs=1']
diag.log: {creds,[{"Administrator",[
diag.log: {creds,[{"Administrator",[{password,'filtered-out'}
]}]}]},
diag.log: {creds,[{"Administrator",[
diag.log: {creds,[{"Administrator",[{password,'filtered-out'}
]}]}]},
The diag.log is trying to filter out the clear text password. But the password is still showing in the curl command.
Attachments
Issue Links
- duplicates
-
MB-5904 couchbase logs/diags/collectinfos should not contain user/password credentials
- Closed