René's URL Explorer Experiment


Title: Sensitive Password Leak in Async Job Status Update Logging (`updateAsyncJobStatus`) · Issue #13301 · apache/cloudstack · GitHub

Open Graph Title: Sensitive Password Leak in Async Job Status Update Logging (`updateAsyncJobStatus`) · Issue #13301 · apache/cloudstack

X Title: Sensitive Password Leak in Async Job Status Update Logging (`updateAsyncJobStatus`) · Issue #13301 · apache/cloudstack

Description: Advisory Details Title: Sensitive Password Leak in Async Job Status Update Logging (updateAsyncJobStatus) Description: In Apache CloudStack, any asynchronous task triggered by a user (e.g. creating virtual machines, volumes, or managing ...

Open Graph Description: Advisory Details Title: Sensitive Password Leak in Async Job Status Update Logging (updateAsyncJobStatus) Description: In Apache CloudStack, any asynchronous task triggered by a user (e.g. creating...

X Description: Advisory Details Title: Sensitive Password Leak in Async Job Status Update Logging (updateAsyncJobStatus) Description: In Apache CloudStack, any asynchronous task triggered by a user (e.g. creating...

Opengraph URL: https://github.com/apache/cloudstack/issues/13301

X: @github

direct link

Domain: github.com


Hey, it has json ld scripts:
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Sensitive Password Leak in Async Job Status Update Logging (`updateAsyncJobStatus`)","articleBody":"### Advisory Details\n\n**Title**: Sensitive Password Leak in Async Job Status Update Logging (`updateAsyncJobStatus`)\n\n**Description**:\nIn Apache CloudStack, any asynchronous task triggered by a user (e.g. creating virtual machines, volumes, or managing templates) is executed under the asynchronous job framework (`cloud-framework-jobs`). During execution, progress or status updates are processed and logged by the management server via `AsyncJobManagerImpl.updateAsyncJobStatus`.\n\nWhile the developers previously patched a sensitive password leak in the job completion logger (`completeAsyncJob`), they completely missed `updateAsyncJobStatus`. Specifically, in [AsyncJobManagerImpl.java](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java#L438-L442), progress/status updates were directly logged in plain text when `DEBUG` logging was enabled:\n```java\n    @Override\n    @DB\n    public void updateAsyncJobStatus(final long jobId, final int processStatus, final String resultObject) {\n        if (logger.isDebugEnabled()) {\n            logger.debug(\"Update async-job progress, job-\" + jobId + \", processStatus: \" + processStatus + \", result: \" + resultObject);\n        }\n```\n\nIf an asynchronous operation reports progress containing a serialized command response, database configuration, or credentials (such as standard fields containing `\"password\"`), these raw, unmasked secrets will leak directly into the management server log files.\n\n---\n\n### Summary\n\nAn information exposure vulnerability exists in Apache CloudStack's asynchronous job execution framework (`cloud-framework-jobs`). When `DEBUG` level logging is enabled on the management server, intermediate status/progress updates containing raw, unmasked sensitive credentials (such as standard `\"password\"` fields) are printed in plain text directly to the system log via `AsyncJobManagerImpl.updateAsyncJobStatus`. This bypasses existing password obfuscation mechanisms implemented in other parts of the job framework.\n\n---\n\n### Details\n\nDuring asynchronous job execution, progress updates are logged via `AsyncJobManagerImpl.updateAsyncJobStatus`. Unlike `AsyncJobManagerImpl.completeAsyncJob`, which properly obfuscates user passwords using `convertHumanReadableJson(obfuscatePassword(resultObject, HidePassword.value()))`, `updateAsyncJobStatus` directly outputs `resultObject` to the logger without any filtering or sanitization. Consequently, any JSON payload containing sensitive fields such as `\"password\"` or database configurations with credentials is written in plain text to log files, exposing them to any user or internal service with log access.\n\n---\n\n### PoC\n\n#### Prerequisites\n- A standard Java and Maven build environment.\n- The `org.apache.cloudstack:cloud-framework-jobs` module compiled.\n- Logging level for `org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl` configured to `DEBUG`.\n\n#### Reproduction Steps\n\n1. Download the Docker Environment Configuration file: [docker-compose.yml](https://gist.github.com/YLChen-007/e804cb11fb975c6d23a81fc8d6b95c0f)\n2. Download the Replication Test Automation script: [verification_test_Issue-cloudstack-8854.py](https://gist.github.com/YLChen-007/685a0d477c87272d11ccb5cab2fe2d2a)\n3. Download the Control Group Test script: [control-obfuscation_check.py](https://gist.github.com/YLChen-007/41c50a13a5beec322cc672a014eee7f4)\n4. Execute the replication script from the root of the workspace to build the module, run the regression test, and witness the plain text leak:\n   ```bash\n   python3 verification_test_Issue-cloudstack-8854.py\n   ```\n5. Execute the control group script to verify that the password obfuscation logic functions correctly under normal conditions:\n   ```bash\n   python3 control-obfuscation_check.py\n   ```\n\n---\n\n### Log of Evidence\n\n```text\n23:13:05.397 [main] DEBUG org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl - Update async-job progress, job-1, processStatus: 1, result: {\"password\":\"mysecretpassword\",\"other\":\"field\"}\n23:13:05.402 [main] DEBUG org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl - job-1 no longer exists, we just log progress info here. progress status: 1\nCaptured Writer Log Output:\nUpdate async-job progress, job-1, processStatus: 1, result: {\"password\":\"mysecretpassword\",\"other\":\"field\"}job-1 no longer exists, we just log progress info here. progress status: 1\n[ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 1.185 s \u003c\u003c\u003c FAILURE! - in org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImplTest\n[ERROR] testUpdateAsyncJobStatusObfuscation(org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImplTest)  Time elapsed: 0.754 s  \u003c\u003c\u003c FAILURE!\njava.lang.AssertionError: Vulnerability Triggered: plaintext password leaked!\n        at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImplTest.testUpdateAsyncJobStatusObfuscation(AsyncJobManagerImplTest.java:118)\n```\n\n---\n\n### Impact\n\n- **Vulnerability Type**: Information Exposure / Log Injection of Sensitive Credentials\n- **Asset Compromise**: High. Exposing administrator and virtual machine passwords or other private API keys inside standard log files allows local attackers, internal users, or compromised log ingestion pipelines (ELK, Splunk) to gain complete access to hypervisors, OOB/IPMI consoles, and private cloud infrastructure.\n\n---\n\n### Affected products\n\n- **Ecosystem**: maven\n- **Package name**: org.apache.cloudstack:cloud-framework-jobs\n- **Affected versions**: \u003c= 4.22.1.0 (commit: `348ce953a99246a756b527994f7745a7be038234`)\n- **Patched versions**: \u003cNone\u003e\n\n---\n\n### Severity\n\n- **Severity**: High\n- **Vector string**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n\n---\n\n### Weaknesses\n\n- **CWE**: CWE-532: Insertion of Sensitive Information into Log File\n\n---\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java#L438-L442](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java#L438-L442) | The vulnerable logging statement inside `updateAsyncJobStatus` method that prints raw progress results containing plain text passwords without any obfuscation filter. |","author":{"url":"https://github.com/YLChen-007","@type":"Person","name":"YLChen-007"},"datePublished":"2026-06-01T07:04:43.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/13301/cloudstack/issues/13301"}

route-pattern/_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format)
route-controllervoltron_issues_fragments
route-actionissue_layout
fetch-noncev2:e0945fcd-f197-6c32-7020-292e165e07f0
current-catalog-service-hash81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114
request-idED8C:D3583:9F5D46:DC1122:6A4DDDC9
html-safe-noncefb6a89dd355740be62e63039a1dfc1876109fbbab85600de894354e41fc847f9
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJFRDhDOkQzNTgzOjlGNUQ0NjpEQzExMjI6NkE0REREQzkiLCJ2aXNpdG9yX2lkIjoiODYzNzAwODM2MzA2MDU4Mzg4MSIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9
visitor-hmaca20504323602d52ae3e8c0a8eeddc7f1b82000d48cb666d9de64f0636a47b6d3
hovercard-subject-tagissue:4561051767
github-keyboard-shortcutsrepository,issues,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///voltron/issues_fragments/issue_layout
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13301/issue_layout
twitter:imagehttps://opengraph.githubassets.com/3b55bb6686938a579a82a46cd926ffb9ea883bb34156d7861e9ccbfa5d4351f2/apache/cloudstack/issues/13301
twitter:cardsummary_large_image
og:imagehttps://opengraph.githubassets.com/3b55bb6686938a579a82a46cd926ffb9ea883bb34156d7861e9ccbfa5d4351f2/apache/cloudstack/issues/13301
og:image:altAdvisory Details Title: Sensitive Password Leak in Async Job Status Update Logging (updateAsyncJobStatus) Description: In Apache CloudStack, any asynchronous task triggered by a user (e.g. creating...
og:image:width1200
og:image:height600
og:site_nameGitHub
og:typeobject
og:author:usernameYLChen-007
hostnamegithub.com
expected-hostnamegithub.com
None06b8a6144231bf3a234f1c2e9993861e07ce98a905912b114aa386c2d7e84b33
turbo-cache-controlno-preview
go-importgithub.com/apache/cloudstack git https://github.com/apache/cloudstack.git
octolytics-dimension-user_id47359
octolytics-dimension-user_loginapache
octolytics-dimension-repository_id9759448
octolytics-dimension-repository_nwoapache/cloudstack
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id9759448
octolytics-dimension-repository_network_root_nwoapache/cloudstack
turbo-body-classeslogged-out env-production page-responsive
disable-turbofalse
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
release1d344bdb7547fe6bca17a59bb2b8aac3dc9532a0
ui-targetfull
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/apache/cloudstack/issues/13301#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fissues%2F13301
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub Copilot appDirect agents from issue to mergehttps://github.com/features/ai/github-app
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
View all resourceshttps://github.com/resources
GitHub SponsorsFund open source developershttps://github.com/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/accelerator
GitHub Starshttps://stars.github.com
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fissues%2F13301
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fvoltron%2Fissues_fragments%2Fissue_layout&source=header-repo&source_repo=apache%2Fcloudstack
Reloadhttps://github.com/apache/cloudstack/issues/13301
Reloadhttps://github.com/apache/cloudstack/issues/13301
Reloadhttps://github.com/apache/cloudstack/issues/13301
Please reload this pagehttps://github.com/apache/cloudstack/issues/13301
apache https://github.com/apache
cloudstackhttps://github.com/apache/cloudstack
Notifications https://github.com/login?return_to=%2Fapache%2Fcloudstack
Fork 1.3k https://github.com/login?return_to=%2Fapache%2Fcloudstack
Star 3k https://github.com/login?return_to=%2Fapache%2Fcloudstack
Code https://github.com/apache/cloudstack
Issues 536 https://github.com/apache/cloudstack/issues
Pull requests 268 https://github.com/apache/cloudstack/pulls
Discussions https://github.com/apache/cloudstack/discussions
Actions https://github.com/apache/cloudstack/actions
Projects https://github.com/apache/cloudstack/projects
Wiki https://github.com/apache/cloudstack/wiki
Security and quality 0 https://github.com/apache/cloudstack/security
Insights https://github.com/apache/cloudstack/pulse
Code https://github.com/apache/cloudstack
Issues https://github.com/apache/cloudstack/issues
Pull requests https://github.com/apache/cloudstack/pulls
Discussions https://github.com/apache/cloudstack/discussions
Actions https://github.com/apache/cloudstack/actions
Projects https://github.com/apache/cloudstack/projects
Wiki https://github.com/apache/cloudstack/wiki
Security and quality https://github.com/apache/cloudstack/security
Insights https://github.com/apache/cloudstack/pulse
Taskhttps://github.com/apache/cloudstack/issues?q=type:"Task"
Sensitive Password Leak in Async Job Status Update Logging (updateAsyncJobStatus)https://github.com/apache/cloudstack/issues/13301#top
component:logginghttps://github.com/apache/cloudstack/issues?q=state%3Aopen%20label%3A%22component%3Alogging%22
https://github.com/YLChen-007
YLChen-007https://github.com/YLChen-007
on Jun 1, 2026https://github.com/apache/cloudstack/issues/13301#issue-4561051767
AsyncJobManagerImpl.javahttps://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java#L438-L442
docker-compose.ymlhttps://gist.github.com/YLChen-007/e804cb11fb975c6d23a81fc8d6b95c0f
verification_test_Issue-cloudstack-8854.pyhttps://gist.github.com/YLChen-007/685a0d477c87272d11ccb5cab2fe2d2a
control-obfuscation_check.pyhttps://gist.github.com/YLChen-007/41c50a13a5beec322cc672a014eee7f4
cloudstack/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.javahttps://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java#L438-L442
348ce95https://github.com/apache/cloudstack/commit/348ce953a99246a756b527994f7745a7be038234
component:logginghttps://github.com/apache/cloudstack/issues?q=state%3Aopen%20label%3A%22component%3Alogging%22
Taskhttps://github.com/apache/cloudstack/issues?q=type:"Task"
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width


URLs of crawlers that visited me.