René's URL Explorer Experiment


Title: Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurations · Issue #13303 · apache/cloudstack · GitHub

Open Graph Title: Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurations · Issue #13303 · apache/cloudstack

X Title: Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurations · Issue #13303 · apache/cloudstack

Description: Advisory Details Title: Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurations Description: Apache CloudStack is vulnerable to plaintext credential exposure when registering and configur...

Open Graph Description: Advisory Details Title: Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurations Description: Apache CloudStack is vulnerable to plaintext credentia...

X Description: Advisory Details Title: Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurations Description: Apache CloudStack is vulnerable to plaintext credentia...

Opengraph URL: https://github.com/apache/cloudstack/issues/13303

X: @github

direct link

Domain: github.com


Hey, it has json ld scripts:
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurations","articleBody":"### Advisory Details\n\n**Title**: Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurations\n\n**Description**:\nApache CloudStack is vulnerable to plaintext credential exposure when registering and configuring external network element providers (such as VMware NSX, Netris, or BigSwitch BCF) and hypervisors (such as Oracle OVM3). During configuration initialization (`configure` method), the resource managers check for the existence of mandatory properties (like `port` or `url`). If a required parameter is missing or connection fails, the resource managers throw a `ConfigurationException` that stringifies the entire unmasked configuration parameters map (`params`), which contains the cleartext administrator or agent password. \nThis exception is captured by the outer Management Server framework and is both directly returned to the calling client in the JSON HTTP REST API error response (`errortext` field) and logged as cleartext in system logs (`management-server.log`). In addition, `Ovm3HypervisorResource` prints the raw parameter map in debug mode, causing credentials to be persistently stored in the logging system.\n\n---\n\n### Summary\nAn information exposure vulnerability in Apache CloudStack allows authenticated administrators or network operators to leak and obtain highly privileged plaintext credentials of underlying network elements (VMware NSX, Netris, BigSwitch) and hypervisor agents (OVM3). By submitting a resource configuration request that deliberately omits a required parameter, the platform's exception handling stringifies the entire configuration map, revealing the plaintext password in HTTP REST API error responses and system logs.\n\n---\n\n### Details\nIn Apache CloudStack, administrators configure external infrastructure by invoking REST API commands like `addNsxController`, `addHost`, and `addNetrisDevice`. The framework passes these parameters in a unified `params` Map (`Map\u003cString, Object\u003e`) to the corresponding backend `ServerResource` component.\nFour resource managers fail to properly mask or exclude the raw parameter map when raising exceptions or logging:\n\n1. **`NsxResource.java`** (Lines 186–205)\n   When checking mandatory parameters (e.g. `port`, `username`, `password`), if a check fails, the resource manager stringifies `params` in the exception message:\n   ```java\n   port = (String) params.get(\"port\");\n   if (port == null) {\n       throw new ConfigurationException(\"Missing NSX port from params: \" + params);\n   }\n   ```\n   Since `params` contains the cleartext `\"password\"` field, it is converted to string and returned in the Exception message.\n\n2. **`NetrisResource.java`** (Lines 190–204)\n   Similarly leaks cleartext credentials in Netris element configurations:\n   ```java\n   endpointUrl = (String) params.get(\"url\");\n   if (endpointUrl == null) {\n       throw new ConfigurationException(\"Missing Netris provider URL from params: \" + params);\n   }\n   ```\n\n3. **`BigSwitchBcfResource.java`** (Lines 106–124)\n   Leaks credentials in BigSwitch BCF configuration error messages:\n   ```java\n   String hostname = (String)params.get(\"hostname\");\n   if (hostname == null) {\n       throw new ConfigurationException(\"Missing host name from params: \" + params);\n   }\n   ```\n\n4. **`Ovm3HypervisorResource.java`** (Line 308)\n   Logs the complete parameter map including unmasked OVS agent passwords in debug logging:\n   ```java\n   @Override\n   public boolean configure(String name, Map\u003cString, Object\u003e params) throws ConfigurationException {\n       logger.debug(\"configure \" + name + \" with params: \" + params);\n   ```\n\n---\n\n### PoC\n\n#### Prerequisites\n* Python 3.x with the `requests` library installed.\n* CloudStack Management Server administrative API access (or a simulated test environment).\n\n#### Reproduction Steps\nTo reproduce the credential leakage safely and reliably without a full multi-gigabyte Apache CloudStack cluster setup, we use the local mock verification script which simulates the backend resource validation logic:\n\n1. Download the isolated environment setup from: [docker-compose.yml](https://gist.github.com/YLChen-007/890b90176cdcdc1110f91894feda19e5)\n2. Download the Vulnerability Verification PoC script from: [verification_test_Issue-cloudstack-11985-ResourceParams.py](https://gist.github.com/YLChen-007/bdd4c812681c958cb3089fe9e88c3e07)\n3. Download the Control Group Verification script from: [control-masked_exception.py](https://gist.github.com/YLChen-007/49f9ce71c53e1d1acc03e4d4a13be6c6)\n4. Execute the verification test to demonstrate the plaintext password leakage:\n   ```bash\n   python3 verification_test_Issue-cloudstack-11985-ResourceParams.py\n   ```\n5. Execute the control test to confirm that a secured backend correctly masks or omits the parameter map:\n   ```bash\n   python3 control-masked_exception.py\n   ```\n\n---\n\n### Log of Evidence\n\nUpon executing the verification test (`verification_test_Issue-cloudstack-11985-ResourceParams.py`), the following runtime console output confirms the defect by capturing the cleartext password `HighlySensitiveResourcePassword123!` directly in the error response payload:\n\n```\n[*] Starting Local Vulnerability Mock Server...\n[*] Running Issue-cloudstack-11985 ResourceParams Credential Leakage Integration Test...\n[*] Dispatching addNsxController command with sensitive password: HighlySensitiveResourcePassword123!\n[*] Response Status Code: 530\n[*] Response Payload: {'addnsxcontrollerresponse': {'errorcode': 530, 'errortext': \"com.cloud.utils.exception.CloudRuntimeException: javax.naming.ConfigurationException: Missing NSX port from params: {'name': 'mock-nsx-provider', 'hostname': '192.168.1.100', 'username': 'admin', 'password': 'HighlySensitiveResourcePassword123!', 'tier0gateway': 'T0-GW', 'edgecluster': 'Edge-Cluster', 'transportzone': 'TZ-Overlay', 'zoneid': '00000000-0000-0000-0000-000000000000', 'command': 'addNsxController', 'apiKey': 'ADMIN_API_KEY_PLACEHOLDER', 'response': 'json', 'signature': 'ud2x93R63p7cIk/kdPJt1+3lyv8='}\"}}\n[DEFECT CONFIRMED] Plaintext password leaked in the API error response!\n```\n\n---\n\n### Impact\n* **Vulnerability Type**: Information Exposure / Plaintext Credential Leakage (CWE-209 / CWE-532)\n* **Assets Compromised**: High-privilege control-plane infrastructure credentials (including VMware NSX, Netris switches, BigSwitch BCF, and OVM3 hypervisors).\n* **Consequences**: An attacker or operator with device configuration permissions can retrieve the raw plaintext credentials of core SD-WAN controllers and network switches, enabling them to alter overlay network topologies, capture data plane traffic, or bypass boundary controls. In the case of OVM3, leaking agent credentials yields root SSH access on physical hypervisors. Furthermore, the persistent log logging violates standard PCI-DSS and security audit compliance controls.\n\n---\n\n### Affected products\n\n- **Ecosystem**: maven\n- **Package name**: org.apache.cloudstack:cloudstack\n- **Affected versions**: \u003c= 4.22.1.0\n- **Patched versions**: \u003cNone\u003e\n\n---\n\n### Severity\n\n- **Severity**: High\n- **Vector string**: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n---\n\n### Weaknesses\n\n- **CWE-209**: Generation of Error Message Containing Sensitive Information\n- **CWE-532**: Insertion of Sensitive Information into Log File\n\n---\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/resource/NsxResource.java#L186-L205](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/resource/NsxResource.java#L186-L205) | Vulnerable parameter map stringification inside NsxResource configuration validation exceptions. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/netris/src/main/java/org/apache/cloudstack/resource/NetrisResource.java#L190-L204](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/netris/src/main/java/org/apache/cloudstack/resource/NetrisResource.java#L190-L204) | Vulnerable parameter map stringification inside NetrisResource configuration validation exceptions. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/bigswitch/src/main/java/com/cloud/network/resource/BigSwitchBcfResource.java#L106-L124](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/bigswitch/src/main/java/com/cloud/network/resource/BigSwitchBcfResource.java#L106-L124) | Vulnerable parameter map stringification inside BigSwitchBcfResource configuration validation exceptions. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/ovm3/src/main/java/com/cloud/hypervisor/ovm3/resources/Ovm3HypervisorResource.java#L308](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/ovm3/src/main/java/com/cloud/hypervisor/ovm3/resources/Ovm3HypervisorResource.java#L308) | Plaintext logging of the parameters map containing passwords inside Ovm3HypervisorResource configuration debug statements. |","author":{"url":"https://github.com/YLChen-007","@type":"Person","name":"YLChen-007"},"datePublished":"2026-06-01T07:12:13.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/13303/cloudstack/issues/13303"}

route-pattern/_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format)
route-controllervoltron_issues_fragments
route-actionissue_layout
fetch-noncev2:c898f2bc-de9d-4d67-749d-6c56aa554fd4
current-catalog-service-hash81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114
request-idC982:10263B:6608F5:89E517:6A4DD1BB
html-safe-nonce2e9a807312311a3e9e0da666277929384a795194f5590984b2ca07d76d7aa782
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJDOTgyOjEwMjYzQjo2NjA4RjU6ODlFNTE3OjZBNEREMUJCIiwidmlzaXRvcl9pZCI6IjU4Njg1OTIxMTQ3MzI3NDkyNDMiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ==
visitor-hmac03e33109330b5c7e8ea8408972363e73374b480ceecee4e26358db9e4041b2d4
hovercard-subject-tagissue:4561092376
github-keyboard-shortcutsrepository,issues,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///voltron/issues_fragments/issue_layout
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13303/issue_layout
twitter:imagehttps://opengraph.githubassets.com/8604ed1ad074a3b5076a4b2e3a6afc67bb2f67cf6a8813aae01006b608aea880/apache/cloudstack/issues/13303
twitter:cardsummary_large_image
og:imagehttps://opengraph.githubassets.com/8604ed1ad074a3b5076a4b2e3a6afc67bb2f67cf6a8813aae01006b608aea880/apache/cloudstack/issues/13303
og:image:altAdvisory Details Title: Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurations Description: Apache CloudStack is vulnerable to plaintext credentia...
og:image:width1200
og:image:height600
og:site_nameGitHub
og:typeobject
og:author:usernameYLChen-007
hostnamegithub.com
expected-hostnamegithub.com
None06b8a6144231bf3a234f1c2e9993861e07ce98a905912b114aa386c2d7e84b33
turbo-cache-controlno-preview
go-importgithub.com/apache/cloudstack git https://github.com/apache/cloudstack.git
octolytics-dimension-user_id47359
octolytics-dimension-user_loginapache
octolytics-dimension-repository_id9759448
octolytics-dimension-repository_nwoapache/cloudstack
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id9759448
octolytics-dimension-repository_network_root_nwoapache/cloudstack
turbo-body-classeslogged-out env-production page-responsive
disable-turbofalse
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
release1d344bdb7547fe6bca17a59bb2b8aac3dc9532a0
ui-targetfull
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/apache/cloudstack/issues/13303#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fissues%2F13303
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub Copilot appDirect agents from issue to mergehttps://github.com/features/ai/github-app
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
View all resourceshttps://github.com/resources
GitHub SponsorsFund open source developershttps://github.com/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/accelerator
GitHub Starshttps://stars.github.com
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fissues%2F13303
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fvoltron%2Fissues_fragments%2Fissue_layout&source=header-repo&source_repo=apache%2Fcloudstack
Reloadhttps://github.com/apache/cloudstack/issues/13303
Reloadhttps://github.com/apache/cloudstack/issues/13303
Reloadhttps://github.com/apache/cloudstack/issues/13303
Please reload this pagehttps://github.com/apache/cloudstack/issues/13303
apache https://github.com/apache
cloudstackhttps://github.com/apache/cloudstack
Notifications https://github.com/login?return_to=%2Fapache%2Fcloudstack
Fork 1.3k https://github.com/login?return_to=%2Fapache%2Fcloudstack
Star 3k https://github.com/login?return_to=%2Fapache%2Fcloudstack
Code https://github.com/apache/cloudstack
Issues 536 https://github.com/apache/cloudstack/issues
Pull requests 268 https://github.com/apache/cloudstack/pulls
Discussions https://github.com/apache/cloudstack/discussions
Actions https://github.com/apache/cloudstack/actions
Projects https://github.com/apache/cloudstack/projects
Wiki https://github.com/apache/cloudstack/wiki
Security and quality 0 https://github.com/apache/cloudstack/security
Insights https://github.com/apache/cloudstack/pulse
Code https://github.com/apache/cloudstack
Issues https://github.com/apache/cloudstack/issues
Pull requests https://github.com/apache/cloudstack/pulls
Discussions https://github.com/apache/cloudstack/discussions
Actions https://github.com/apache/cloudstack/actions
Projects https://github.com/apache/cloudstack/projects
Wiki https://github.com/apache/cloudstack/wiki
Security and quality https://github.com/apache/cloudstack/security
Insights https://github.com/apache/cloudstack/pulse
Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurationshttps://github.com/apache/cloudstack/issues/13303#top
https://github.com/YLChen-007
YLChen-007https://github.com/YLChen-007
on Jun 1, 2026https://github.com/apache/cloudstack/issues/13303#issue-4561092376
docker-compose.ymlhttps://gist.github.com/YLChen-007/890b90176cdcdc1110f91894feda19e5
verification_test_Issue-cloudstack-11985-ResourceParams.pyhttps://gist.github.com/YLChen-007/bdd4c812681c958cb3089fe9e88c3e07
control-masked_exception.pyhttps://gist.github.com/YLChen-007/49f9ce71c53e1d1acc03e4d4a13be6c6
cloudstack/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/resource/NsxResource.javahttps://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/resource/NsxResource.java#L186-L205
348ce95https://github.com/apache/cloudstack/commit/348ce953a99246a756b527994f7745a7be038234
cloudstack/plugins/network-elements/netris/src/main/java/org/apache/cloudstack/resource/NetrisResource.javahttps://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/netris/src/main/java/org/apache/cloudstack/resource/NetrisResource.java#L190-L204
348ce95https://github.com/apache/cloudstack/commit/348ce953a99246a756b527994f7745a7be038234
cloudstack/plugins/network-elements/bigswitch/src/main/java/com/cloud/network/resource/BigSwitchBcfResource.javahttps://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/bigswitch/src/main/java/com/cloud/network/resource/BigSwitchBcfResource.java#L106-L124
348ce95https://github.com/apache/cloudstack/commit/348ce953a99246a756b527994f7745a7be038234
cloudstack/plugins/hypervisors/ovm3/src/main/java/com/cloud/hypervisor/ovm3/resources/Ovm3HypervisorResource.javahttps://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/ovm3/src/main/java/com/cloud/hypervisor/ovm3/resources/Ovm3HypervisorResource.java#L308
348ce95https://github.com/apache/cloudstack/commit/348ce953a99246a756b527994f7745a7be038234
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width


URLs of crawlers that visited me.