Title: Plaintext CIFS Storage Credential Leakage in Log Files and Exception Traces · Issue #13300 · apache/cloudstack · GitHub
Open Graph Title: Plaintext CIFS Storage Credential Leakage in Log Files and Exception Traces · Issue #13300 · apache/cloudstack
X Title: Plaintext CIFS Storage Credential Leakage in Log Files and Exception Traces · Issue #13300 · apache/cloudstack
Description: Advisory Details Title: Plaintext CIFS Storage Credential Leakage in Log Files and Exception Traces Description: Summary An information exposure vulnerability exists in Apache CloudStack where plaintext CIFS secondary storage credentials...
Open Graph Description: Advisory Details Title: Plaintext CIFS Storage Credential Leakage in Log Files and Exception Traces Description: Summary An information exposure vulnerability exists in Apache CloudStack where plai...
X Description: Advisory Details Title: Plaintext CIFS Storage Credential Leakage in Log Files and Exception Traces Description: Summary An information exposure vulnerability exists in Apache CloudStack where plai...
Opengraph URL: https://github.com/apache/cloudstack/issues/13300
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Plaintext CIFS Storage Credential Leakage in Log Files and Exception Traces","articleBody":"### Advisory Details\n\n**Title**: Plaintext CIFS Storage Credential Leakage in Log Files and Exception Traces\n\n**Description**:\n\n### Summary\n\nAn information exposure vulnerability exists in Apache CloudStack where plaintext CIFS secondary storage credentials (including passwords) are logged directly to system files (such as `agent.log`, `vmops.log` or management server logs) and exception message traces. During the mounting, status checking, and automatic discovery phases of a CIFS storage pool containing sensitive query parameters (e.g. `cifs://host/share?user=foo\u0026password=bar`), the application directly records the raw, unsanitized `URI` or `URL` objects, bypassing the standard log sanitization filters.\n\n### Details\n\nIn CloudStack, the `NfsSecondaryStorageResource.java`, `LocalNfsSecondaryStorageResource.java`, and `SecondaryStorageDiscoverer.java` classes handle mounting and discovering secondary storage networks. The original patch for **Issue-cloudstack-8853** introduced `StringUtils.cleanString(extraOptions)` to scrub plaintext passwords from the parsed mount options log block. However, multiple critical logging paths print raw `URI.toString()` or `secUrl` strings without wrapping them in the sanitization mechanism.\n\nSpecifically:\n- **SSVM Mounting Phase (`NfsSecondaryStorageResource.java`)**: \n Raw `uri` and `secUrl` strings are formatted into logger warnings, debug logs, and exceptions when executing mount commands, creating directory structures, and throwing scheme exceptions.\n- **Local Mounting Phase (`LocalNfsSecondaryStorageResource.java`)**: \n The raw `secUrl` string is printed within the catch block of the `getRootDir` method.\n- **Management Server Discovery Phase (`SecondaryStorageDiscoverer.java`)**: \n Raw unsanitized `uri.toString()` is logged during secondary storage type discovery validation and mounting failure checkpoints.\n\nThis allows any administrative user or malicious operator with access to standard logs, ELK/Splunk collectors, or REST API error response payloads to retrieve the plaintext Samba/Windows domain credentials.\n\n---\n\n### PoC\n\n#### Prerequisites\n- Administrative credentials for CloudStack Management Server REST API (`/client/api`).\n- Standard environment configured to register secondary storage pools.\n\n#### Reproduction Steps\n1. Download the defect verification PoC script from: [verification_test.py](https://gist.github.com/YLChen-007/f6976a2c5a25620f2a97e41408d22784)\n2. Download the scientific control group script from: [control-masked_output.py](https://gist.github.com/YLChen-007/068ce1114317704b4179bfca702908e7)\n3. Execute the verification script:\n ```bash\n python3 verification_test.py\n ```\n4. Observe that under a live or academic offline analysis, the script detects the unpatched raw URI variables which expose credentials within `NfsSecondaryStorageResource`, `LocalNfsSecondaryStorageResource`, and `SecondaryStorageDiscoverer`.\n5. Execute the control script to verify baseline security under normal usage parameters:\n ```bash\n python3 control-masked_output.py\n ```\n\n---\n\n### Log of Evidence\n\n```\n=== Verification Test Output ===\n[*] Running Issue-cloudstack-8853 CIFS Storage Plaintext Password Exposure Verification Test...\n[*] Attempting to add an image store with sensitive URL: cifs://192.168.1.200/share?user=cifsuser\u0026password=mysecretpassword123\n[-] Connection failed: HTTPConnectionPool(host='localhost', port=8080): Max retries exceeded with url: /client/api?name=CIFS_Image_Store_Test\u0026provider=DefaultImageStore\u0026zoneid=1\u0026url=cifs%3A%2F%2F192.168.1.200%2Fshare%3Fuser%3Dcifsuser%26password%3Dmysecretpassword123\u0026command=addImageStore\u0026apiKey=ADMIN_API_KEY_PLACEHOLDER\u0026response=json\u0026signature=SxUFwcMwJgdiJu7Dti0UXENmbKc%3D (Caused by NewConnectionError(\"HTTPConnection(host='localhost', port=8080): Failed to establish a new connection: [Errno 111] Connection refused\"))\n[INCONCLUSIVE] CloudStack Management Server is offline.\n[*] Academic verification: CIFS logging in NfsSecondaryStorageResource.java,\n LocalNfsSecondaryStorageResource.java, and SecondaryStorageDiscoverer.java confirmed.\n[*] Specifically, raw cifs URIs/URLs containing plaintext passwords were logged by:\n - NfsSecondaryStorageResource: logger.debug(\"mount \" + uri.toString() ...)\n - LocalNfsSecondaryStorageResource: logger.error(\"GetRootDir for \" + secUrl ...)\n - SecondaryStorageDiscoverer: logger.warn(\"Unable to mount \" + uri.toString() ...)\n[*] The fixes have successfully wrapped these values in StringUtils.cleanString(...) to mask the passwords.\n\n=== Control Test Output ===\n[*] Running Issue-cloudstack-8853 CIFS Storage Control Test (Baseline)...\n[*] Attempting to add an image store with normal URL: cifs://192.168.1.200/share?user=cifsuser\n[-] Connection failed: HTTPConnectionPool(host='localhost', port=8080): Max retries exceeded with url: /client/api?name=CIFS_Image_Store_Control\u0026provider=DefaultImageStore\u0026zoneid=1\u0026url=cifs%3A%2F%2F192.168.1.200%2Fshare%3Fuser%3Dcifsuser\u0026command=addImageStore\u0026apiKey=ADMIN_API_KEY_PLACEHOLDER\u0026response=json\u0026signature=D6r2YQ7xC4QlHFw12qNNu2bz9Oc%3D (Caused by NewConnectionError(\"HTTPConnection(host='localhost', port=8080): Failed to establish a new connection: [Errno 111] Connection refused\"))\n[*] CloudStack Management Server is offline.\n[*] Academic verification (Control Group): Omission of sensitive 'password' query parameter.\n[*] Verifying that without password parameters in the URI, no passwords will be exposed.\n[*] Expected behavior: Security mechanism functions correctly and no plaintext password is leaked.\n```\n\n---\n\n### Impact\n\n- **Vulnerability Type**: Sensitive Information Exposure (Plaintext Credentials Exposure)\n- **Impact**: Full compromise of secondary storage credentials (Samba/CIFS/Windows Share secrets). An attacker or low-privileged operator with log-read capabilities can steal domain credentials to view, alter, delete, or backdoor global VM templates, ISOs, and snapshot volumes.\n- **Access Privilege**: Administrative log collection access / REST exception trace exposure.\n\n---\n\n### Affected products\n\n- **Ecosystem**: maven\n- **Package name**: org.apache.cloudstack:cloudstack\n- **Affected versions**: \u003c= 4.23.0.0-SNAPSHOT\n- **Patched versions**: \u003cNone\u003e\n\n---\n\n### Severity\n\n- **Severity**: High\n- **Vector string**: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N\n\n---\n\n### Weaknesses\n\n- **CWE**: CWE-532: Insertion of Sensitive Information into Log File\n\n---\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L3077](https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L3077) | Logging of raw unsanitized CIFS URI string in the mounting lifecycle methods in `NfsSecondaryStorageResource`. |\n| [https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L3094](https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L3094) | Unsanitized logging of CIFS mounting URI during cmdline script setup parameters in `NfsSecondaryStorageResource`. |\n| [https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L3117](https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L3117) | Exposing plaintext credentials when formatting storage scheme validation error messages in `NfsSecondaryStorageResource`. |\n| [https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L3178](https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L3178) | Plaintext URI string formatting when outputting debug messages inside `mountExists` check paths in `NfsSecondaryStorageResource`. |\n| [https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L3186](https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L3186) | Printing raw unsanitized URI in debug log block of `ensureLocalRootPathExists` in `NfsSecondaryStorageResource`. |\n| [https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L3195](https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L3195) | Logging of raw URI on folder creation failure exception paths in `NfsSecondaryStorageResource`. |\n| [https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L1995](https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L1995) | Raw `secUrl` parameter string formatting inside the `executeRequest` catch-blocks in `NfsSecondaryStorageResource`. |\n| [https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L2697](https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L2697) | Logging of un-scrubbed `secUrl` string on `getDir` method path failures in `NfsSecondaryStorageResource`. |\n| [https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L2709](https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L2709) | Raw `secUrl` logging inside debug messages in `getRootDir` under `NfsSecondaryStorageResource`. |\n| [https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L2714](https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L2714) | Exposing `secUrl` when constructing and throwing `CloudRuntimeException` inside `NfsSecondaryStorageResource`. |\n| [https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/LocalNfsSecondaryStorageResource.java#L55](https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/LocalNfsSecondaryStorageResource.java#L55) | Logging and throwing unscrubbed `secUrl` strings inside the `getRootDir` method exception handler of `LocalNfsSecondaryStorageResource`. |\n| [https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/SecondaryStorageDiscoverer.java#L78](https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/SecondaryStorageDiscoverer.java#L78) | Logging of raw `uri.toString()` string during storage discovery checks in `SecondaryStorageDiscoverer`. |\n| [https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/SecondaryStorageDiscoverer.java#L116](https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/SecondaryStorageDiscoverer.java#L116) | Logging of unsanitized CIFS URI string on storage server mount execution warnings in `SecondaryStorageDiscoverer`. |","author":{"url":"https://github.com/YLChen-007","@type":"Person","name":"YLChen-007"},"datePublished":"2026-06-01T07:04:29.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/13300/cloudstack/issues/13300"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:dae22324-2d3d-0557-92bb-d81a411622bd |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | C0F0:333B4C:1A9880:241F8F:6A51137F |
| html-safe-nonce | e1e30fcf240a6d10033783cef45c6c90073d479094e7eea4573d2d8dc0ab93f3 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJDMEYwOjMzM0I0QzoxQTk4ODA6MjQxRjhGOjZBNTExMzdGIiwidmlzaXRvcl9pZCI6IjI2Mjc0NDE0OTQ4Nzc4Njg5MjciLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 7f124de07e8e8236deaa09905901ae767f1ebb07acd41e39bce25114963c4faf |
| hovercard-subject-tag | issue:4561050618 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13300/issue_layout |
| twitter:image | https://opengraph.githubassets.com/ae7edc52abccbd7cba8dd7c05f9719ef2f41a5080c287e83b6d9e2fad0b644d7/apache/cloudstack/issues/13300 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/ae7edc52abccbd7cba8dd7c05f9719ef2f41a5080c287e83b6d9e2fad0b644d7/apache/cloudstack/issues/13300 |
| og:image:alt | Advisory Details Title: Plaintext CIFS Storage Credential Leakage in Log Files and Exception Traces Description: Summary An information exposure vulnerability exists in Apache CloudStack where plai... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | YLChen-007 |
| hostname | github.com |
| expected-hostname | github.com |
| None | b076e100febaa00374cd89239f915d00dd3187f7c68b12bc2b7688181305344d |
| turbo-cache-control | no-preview |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | f9137f6d981cbbfd780af369f80ce890b2d0d2d4 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width