Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in Logs
Indrajeeth Deshmukh <bkindrajeeth@gmail.com>
From: Indrajeeth Deshmukh <bkindrajeeth@gmail.com>
To: David Rowley <dgrowleyml@gmail.com>
Cc: pgsql-bugs@lists.postgresql.org
Date: 2025-02-18T12:52:36Z
Lists: pgsql-bugs
Namaste David, Thanks for sharing the details. It looks like a valid issue and has not been resolved yet. Currently, the solution is keeping the file remains secure, but when it comes to SIEM monitoring, it will be a major concern. Any thoughts on this? Thanks, Indrajeet Deshmukh On Tue, Feb 18, 2025 at 5:51 PM David Rowley <dgrowleyml@gmail.com> wrote: > On Tue, 18 Feb 2025 at 22:51, PG Bug reporting form > <noreply@postgresql.org> wrote: > > During the integration of PostgreSQL Database v15 logs into a SIEM > > solution,I observed that user passwords are logged in plaintext when a > user > > is created using the database command. This poses a serious security > risk as > > credentials could be exposed to unauthorized users who have access to the > > logs. > > > Steps to Reproduce: > > > CREATE USER indrajeet WITH PASSWORD 'indrajeet' > > There's some relevant discussion about this in [1], in particular, see [2]. > > David > > [1] > https://www.postgresql.org/message-id/flat/CALNJ-vRQB81F9Q9V%2BoDPsCTF-%2B0o_xR3%3D7_GAZfyg2sEaEfQJA%40mail.gmail.com#1f62ceb364243164a3d3a41530db055f > [2] > https://www.postgresql.org/message-id/1250706.1658622457%40sss.pgh.pa.us > -- Regards, Indrajeet Deshmukh