GHSA-V75G-77VF-6JJQ

Vulnerability from github – Published: 2025-05-30 20:01 – Updated: 2025-06-03 01:10
VLAI?
Summary
Para Server Logs Sensitive Information
Details

CWE ID: CWE-532 (Insertion of Sensitive Information into Log File) CVSS: 7.5 (High) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Component: Para Server Initialization Logging Version: Para v1.50.6 File Path: para-1.50.6/para-server/src/main/java/com/erudika/para/server/utils/HealthUtils.java Vulnerable Line(s): Line 132 (via logger.info(...) with root credentials)

Technical Details:

The vulnerability is located in the HealthUtils.java file, where a failed configuration file write triggers the following logging statement:

logger.info("Initialized root app with access key '{}' and secret '{}', but could not write these to {}.",
    rootAppCredentials.get("accessKey"),
    rootAppCredentials.get("secretKey"),
    confFile);

This exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes.

Severity ?
6.2 (Medium)
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.erudika:para-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.50.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48955"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-30T20:01:10Z",
    "nvd_published_at": "2025-06-02T12:15:25Z",
    "severity": "MODERATE"
  },
  "details": "CWE ID: CWE-532 (Insertion of Sensitive Information into Log File)\nCVSS:  7.5 (High)\nVector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n\n**Affected Component:** Para Server Initialization Logging\n**Version:** Para v1.50.6\n**File Path:** `para-1.50.6/para-server/src/main/java/com/erudika/para/server/utils/HealthUtils.java`\n**Vulnerable Line(s):** Line 132 (via `logger.info(...)` with root credentials)\n\nTechnical Details:\n\nThe vulnerability is located in the HealthUtils.java file, where a failed configuration file write triggers the following logging statement:\n```java\nlogger.info(\"Initialized root app with access key \u0027{}\u0027 and secret \u0027{}\u0027, but could not write these to {}.\",\n    rootAppCredentials.get(\"accessKey\"),\n    rootAppCredentials.get(\"secretKey\"),\n    confFile);\n```\nThis exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes.",
  "id": "GHSA-v75g-77vf-6jjq",
  "modified": "2025-06-03T01:10:53Z",
  "published": "2025-05-30T20:01:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Erudika/para/security/advisories/GHSA-v75g-77vf-6jjq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48955"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Erudika/para/commit/1e8a89558542854bb0683ab234c4429ad93b0835"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Erudika/para"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Para Server Logs Sensitive Information"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.