You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Kirk True (Jira)" <ji...@apache.org> on 2023/02/17 19:33:00 UTC

[jira] [Resolved] (KAFKA-14623) OAuth's HttpAccessTokenRetriever potentially leaks secrets in logging

     [ https://issues.apache.org/jira/browse/KAFKA-14623?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kirk True resolved KAFKA-14623.
-------------------------------
    Resolution: Fixed

> OAuth's HttpAccessTokenRetriever potentially leaks secrets in logging  
> -----------------------------------------------------------------------
>
>                 Key: KAFKA-14623
>                 URL: https://issues.apache.org/jira/browse/KAFKA-14623
>             Project: Kafka
>          Issue Type: Bug
>          Components: clients, security
>    Affects Versions: 3.3.0, 3.3.1, 3.3.2
>            Reporter: Kirk True
>            Assignee: Kirk True
>            Priority: Major
>             Fix For: 3.3.3, 3.4.0
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> The OAuth code that communicates via HTTP with the IdP (HttpAccessTokenRetriever.java) includes logging that outputs the request and response payloads. Among them are:
>  * [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetriever.java#L265]
>  * [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetriever.java#L274]
>  * [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetriever.java#L320]
> It should be determined if there are other places sensitive information might be inadvertently exposed.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)