GHSA-v75g-77vf-6jjq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-v75g-77vf-6jjq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-v75g-77vf-6jjq/GHSA-v75g-77vf-6jjq.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-v75g-77vf-6jjq
- Aliases
- Published
- 2025-05-30T20:01:10Z
- Modified
- 2025-06-03T01:27:14.842843Z
- Severity
-
- 6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Para Server Logs Sensitive Information
- Details
-
CWE ID: CWE-532 (Insertion of Sensitive Information into Log File) CVSS: 7.5 (High) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Component: Para Server Initialization Logging Version: Para v1.50.6 File Path:
para-1.50.6/para-server/src/main/java/com/erudika/para/server/utils/HealthUtils.javaVulnerable Line(s): Line 132 (vialogger.info(...)with root credentials)Technical Details:
The vulnerability is located in the HealthUtils.java file, where a failed configuration file write triggers the following logging statement:
logger.info("Initialized root app with access key '{}' and secret '{}', but could not write these to {}.", rootAppCredentials.get("accessKey"), rootAppCredentials.get("secretKey"), confFile);This exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes.
- Database specific
{ "github_reviewed_at": "2025-05-30T20:01:10Z", "cwe_ids": [ "CWE-532" ], "nvd_published_at": "2025-06-02T12:15:25Z", "severity": "MODERATE", "github_reviewed": true }- References
Affected packages
Maven / com.erudika:para-server
Package
- Name
- com.erudika:para-server
- View open source insights on deps.dev
- Purl
- pkg:maven/com.erudika/para-server
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.50.8