René's URL Explorer Experiment


Title: Vulnerability in `Script.java` Command Sanitization Allows Exposure of Plaintext Ceph RBD Storage Credentials in Logs · Issue #13309 · apache/cloudstack · GitHub

Open Graph Title: Vulnerability in `Script.java` Command Sanitization Allows Exposure of Plaintext Ceph RBD Storage Credentials in Logs · Issue #13309 · apache/cloudstack

X Title: Vulnerability in `Script.java` Command Sanitization Allows Exposure of Plaintext Ceph RBD Storage Credentials in Logs · Issue #13309 · apache/cloudstack

Description: Advisory Details Title: Vulnerability in Script.java Command Sanitization Allows Exposure of Plaintext Ceph RBD Storage Credentials in Logs Description: Apache CloudStack uses the core utility class com.cloud.utils.script.Script to execu...

Open Graph Description: Advisory Details Title: Vulnerability in Script.java Command Sanitization Allows Exposure of Plaintext Ceph RBD Storage Credentials in Logs Description: Apache CloudStack uses the core utility clas...

X Description: Advisory Details Title: Vulnerability in Script.java Command Sanitization Allows Exposure of Plaintext Ceph RBD Storage Credentials in Logs Description: Apache CloudStack uses the core utility clas...

Opengraph URL: https://github.com/apache/cloudstack/issues/13309

X: @github

direct link

Domain: github.com


Hey, it has json ld scripts:
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Vulnerability in `Script.java` Command Sanitization Allows Exposure of Plaintext Ceph RBD Storage Credentials in Logs","articleBody":"### Advisory Details\n\n**Title**: Vulnerability in `Script.java` Command Sanitization Allows Exposure of Plaintext Ceph RBD Storage Credentials in Logs\n\n**Description**:\n\nApache CloudStack uses the core utility class `com.cloud.utils.script.Script` to execute external system processes (such as `qemu-img` conversion, block device mapping, and shell operations). To prevent sensitive access keys or passwords from appearing in console and file logging, `Script.java` implements a custom command line builder (`buildCommandLine`) that obscures arguments using a helper method `sanitizeRbdFileFormatCmdParameter`.\n\nHowever, the current implementation of `sanitizeRbdFileFormatCmdParameter` contains several logic vulnerabilities that allow attackers/users to bypass masking entirely under three common operational scenarios:\n1. **URI-based Ceph Credentials:** Storage network URI patterns (e.g. `rbd://username:password@host/pool`) do not contain the substring `\"key=\"` and use a scheme starting with `\"rbd://\"` rather than `\"rbd:\"`. This skips the sanitization conditions entirely.\n2. **Bash Execution Wrappers:** If commands are executed via standard shell wrappers (e.g. `[\"/bin/bash\", \"-c\", \"qemu-img convert ... rbd:pool/image:key=secret\"]`), the evaluated argument string begins with the shell prefix rather than `\"rbd:\"`. This triggers the prefix constraint `!cmd.startsWith(\"rbd:\")` and leaves the plaintext key unmasked.\n3. **Multiple key= Occurrences:** The method splits arguments using `cmd.split(\"key=\")` and exits immediately if `tokens.length != 2`. If a Base64-encoded Ceph key contains the substring `key=` or other properties introduce multiple `key=` elements, the length constraint is violated, and the raw plaintext key is logged to disk.\n\n### Summary\n\nAn information leakage vulnerability in Apache CloudStack's central process execution logging utility (`com.cloud.utils.script.Script`) allows plaintext storage pool credentials (usernames and passwords/keys) to be logged in the clear when Ceph RBD connection options, network URIs, or multiple key options are executed as shell commands.\n\n### Details\n\nThe vulnerability lies in the implementation of the private `sanitizeRbdFileFormatCmdParameter` method in `utils/src/main/java/com/cloud/utils/script/Script.java`:\n\n```java\n    private boolean sanitizeRbdFileFormatCmdParameter(String cmd, StringBuilder builder) {\n        if (StringUtils.isEmpty(cmd) || !cmd.startsWith(\"rbd:\") || !cmd.contains(\"key=\")) {\n            return false;\n        }\n\n        String[] tokens = cmd.split(\"key=\");\n        if (tokens.length != 2) {\n            return false;\n        }\n        ...\n```\n\n- **Prefix Bypass:** If `cmd` is a standard RBD network URI (`rbd://user:pass@host/pool`), it does not contain the substring `\"key=\"` and is processed as a standard unsanitized parameter, outputting the embedded credentials in plaintext.\n- **Shell Wrapper Bypass:** When running commands via helper utilities (like `/bin/bash -c \"...\"`), the entire shell string is treated as a single argument. Because this parameter starts with `/bin/bash` or `qemu-img` instead of `\"rbd:\"`, the startsWith check fails, outputting the plaintext password to the log.\n- **Split Count Bypass:** If a Base64-encoded Ceph key or other parameters within the command string introduce multiple `key=` substrings, `tokens.length` exceeds `2`, skipping the sanitization process entirely and printing the plaintext key.\n\n### PoC\n\n#### Prerequisites\n\n- Java Development Kit (JDK 11 or higher).\n- Maven 3.x for executing JUnit test validations.\n- Python 3.x for running integration simulation scripts.\n\n#### Reproduction Steps\n\n1. Download the automated logical verification script from: [verification_test.py](https://gist.github.com/YLChen-007/4d8ecc1d6041177bac3d12da5a30becd)\n2. Download the scientific control group script from: [control-normal_sanitization.py](https://gist.github.com/YLChen-007/756c21564a106bc60c27e521f1b7674f)\n3. Execute the automated logical verification script:\n   ```bash\n   python3 verification_test.py\n   ```\n4. Execute the scientific control group script to confirm normal sanitization remains functional:\n   ```bash\n   python3 control-normal_sanitization.py\n   ```\n5. Alternatively, run the built-in repository unit tests which demonstrate the exact unpatched variant behavior:\n   ```bash\n   mvn test -pl utils -Dtest=ScriptTest\n   ```\n\n### Log of Evidence\n\n```\n=========================================================================\n[*] Running RbdLogLeak Defect Variant Verification\n=========================================================================\n[*] Stage 1: Attempting to connect to running CloudStack Management Server...\n[!] CloudStack Management Server is offline (Expected in isolated environment).\n[*] Switching to Academic/Logical Code-Path Verification...\n\n--- Flow 1: RBD URI with Credentials ---\nOriginal constructed command:\n  qemu-img convert rbd://cloudstack:AQD-hJxklW1RGRAAA56oHGN6d-WPDLss2b05Cw==@ceph-mon:6789/pool/volume\nLogged command from Script.java:\n  qemu-img convert rbd://cloudstack:AQD-hJxklW1RGRAAA56oHGN6d-WPDLss2b05Cw==@ceph-mon:6789/pool/volume\n🔴 [DEFECT-CONFIRMED] Plaintext Ceph secret is fully exposed in Flow 1 log output!\n\n--- Flow 2: RBD connection options in Bash Script Execution ---\nOriginal constructed command:\n  /bin/bash -c qemu-img convert -O qcow2 rbd:pool/image:key=supersecretpass999:auth_supported=cephx /tmp/output.qcow2\nLogged command from Script.java:\n  /bin/bash -c qemu-img convert -O qcow2 rbd:pool/image:key=supersecretpass999:auth_supported=cephx /tmp/output.qcow2\n🔴 [DEFECT-CONFIRMED] Plaintext Ceph secret is fully exposed in Flow 2 log output!\n\n--- Flow 3: RBD key= option with multiple occurrences ---\nOriginal constructed command:\n  qemu-img convert rbd:pool/image:key=secret1:some_option=key=secret2\nLogged command from Script.java:\n  qemu-img convert rbd:pool/image:key=secret1:some_option=key=secret2\n🔴 [DEFECT-CONFIRMED] Plaintext Ceph secret is fully exposed in Flow 3 log output!\n\n=========================================================================\nRESULT: DEFECT-CONFIRMED (TRUE POSITIVE)\n=========================================================================\n\n=========================================================================\n[*] Running RbdLogLeak Defect Control Test (Scientific Control Group)\n=========================================================================\n\n--- Control Group: Normal Ceph RBD parameter string ---\nOriginal constructed command:\n  rbd:pool/image:key=my-ceph-secret-key:auth_supported=cephx\nLogged command from Script.java:\n  rbd:pool/image:key=******:auth_supported=cephx\n🟢 [CONTROL-PASSED] Plaintext Ceph secret was successfully masked to 'key=******'.\n=========================================================================\nRESULT: CONTROL-PASSED\n=========================================================================\n```\n\n### Impact\n\n- **Vulnerability Category:** Exposure of Sensitive Information to an Unauthorized Actor via Log Files.\n- **Assets Compromised:** Central primary storage / Ceph RBD storage clusters.\n- **Exploitation Impact:** Leaking master Ceph storage credentials into the application log allows anyone with log file access (such as system administrators, SOC analysts, log aggregator databases) to obtain full administrative control over the entire Ceph cluster. An attacker can read, modify, or delete virtual machine templates, primary disk files, system volumes, snapshots, and customer raw databases.\n\n### Affected products\n\n- **Ecosystem**: maven\n- **Package name**: org.apache.cloudstack:cloud-utils\n- **Affected versions**: `\u003c= 4.22.1.0`\n- **Patched versions**: \u003cNone\u003e\n\n### Severity\n\n- **Severity**: High\n- **Vector string**: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\n### Weaknesses\n\n- **CWE**: CWE-532: Insertion of Sensitive Information into Log File\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/utils/src/main/java/com/cloud/utils/script/Script.java#L202-L221](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/utils/src/main/java/com/cloud/utils/script/Script.java#L202-L221) | The vulnerable helper `sanitizeRbdFileFormatCmdParameter` containing fragile startsWith prefix and token split constraints that ignore different URI schemes and shell wrapper sub-commands. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/utils/src/main/java/com/cloud/utils/script/Script.java#L166-L186](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/utils/src/main/java/com/cloud/utils/script/Script.java#L166-L186) | The `buildCommandLine` execution parameters builder that calls `sanitizeRbdFileFormatCmdParameter` without robust token extraction or regex-based masking of secrets. |","author":{"url":"https://github.com/YLChen-007","@type":"Person","name":"YLChen-007"},"datePublished":"2026-06-01T07:13:33.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/13309/cloudstack/issues/13309"}

route-pattern/_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format)
route-controllervoltron_issues_fragments
route-actionissue_layout
fetch-noncev2:b6eb43b7-9230-f4ae-8071-828e154b9549
current-catalog-service-hash81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114
request-id875A:323A96:178D4D2:224674E:6A4E4E46
html-safe-noncee045fafbdbbdb1cf1ca5708e025f75ca5329a3f59d42ce53315409e98912e3b4
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4NzVBOjMyM0E5NjoxNzhENEQyOjIyNDY3NEU6NkE0RTRFNDYiLCJ2aXNpdG9yX2lkIjoiMzkwODE2NjIxOTU5Nzc2MjExOCIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9
visitor-hmac3afad4a3c9e62535ee7911836682382b913c2a5d671c44dedb4019bfe655f283
hovercard-subject-tagissue:4561099498
github-keyboard-shortcutsrepository,issues,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///voltron/issues_fragments/issue_layout
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13309/issue_layout
twitter:imagehttps://opengraph.githubassets.com/db2ab75b5dbefbc07ea9fe34cf01cc842f4442004e4fb2548b13dc1b4787cf06/apache/cloudstack/issues/13309
twitter:cardsummary_large_image
og:imagehttps://opengraph.githubassets.com/db2ab75b5dbefbc07ea9fe34cf01cc842f4442004e4fb2548b13dc1b4787cf06/apache/cloudstack/issues/13309
og:image:altAdvisory Details Title: Vulnerability in Script.java Command Sanitization Allows Exposure of Plaintext Ceph RBD Storage Credentials in Logs Description: Apache CloudStack uses the core utility clas...
og:image:width1200
og:image:height600
og:site_nameGitHub
og:typeobject
og:author:usernameYLChen-007
hostnamegithub.com
expected-hostnamegithub.com
None030096ee0db095447bfe77409d33bfac127ca7128299c58deef27c52eaa1b1f0
turbo-cache-controlno-preview
go-importgithub.com/apache/cloudstack git https://github.com/apache/cloudstack.git
octolytics-dimension-user_id47359
octolytics-dimension-user_loginapache
octolytics-dimension-repository_id9759448
octolytics-dimension-repository_nwoapache/cloudstack
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id9759448
octolytics-dimension-repository_network_root_nwoapache/cloudstack
turbo-body-classeslogged-out env-production page-responsive
disable-turbofalse
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
releasee8506f6d0538364886e3f0153c154c410965e70d
ui-targetcanary-2
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/apache/cloudstack/issues/13309#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fissues%2F13309
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub Copilot appDirect agents from issue to mergehttps://github.com/features/ai/github-app
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
View all resourceshttps://github.com/resources
GitHub SponsorsFund open source developershttps://github.com/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/accelerator
GitHub Starshttps://stars.github.com
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fissues%2F13309
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fvoltron%2Fissues_fragments%2Fissue_layout&source=header-repo&source_repo=apache%2Fcloudstack
Reloadhttps://github.com/apache/cloudstack/issues/13309
Reloadhttps://github.com/apache/cloudstack/issues/13309
Reloadhttps://github.com/apache/cloudstack/issues/13309
Please reload this pagehttps://github.com/apache/cloudstack/issues/13309
apache https://github.com/apache
cloudstackhttps://github.com/apache/cloudstack
Notifications https://github.com/login?return_to=%2Fapache%2Fcloudstack
Fork 1.3k https://github.com/login?return_to=%2Fapache%2Fcloudstack
Star 3k https://github.com/login?return_to=%2Fapache%2Fcloudstack
Code https://github.com/apache/cloudstack
Issues 535 https://github.com/apache/cloudstack/issues
Pull requests 265 https://github.com/apache/cloudstack/pulls
Discussions https://github.com/apache/cloudstack/discussions
Actions https://github.com/apache/cloudstack/actions
Projects https://github.com/apache/cloudstack/projects
Wiki https://github.com/apache/cloudstack/wiki
Security and quality 0 https://github.com/apache/cloudstack/security
Insights https://github.com/apache/cloudstack/pulse
Code https://github.com/apache/cloudstack
Issues https://github.com/apache/cloudstack/issues
Pull requests https://github.com/apache/cloudstack/pulls
Discussions https://github.com/apache/cloudstack/discussions
Actions https://github.com/apache/cloudstack/actions
Projects https://github.com/apache/cloudstack/projects
Wiki https://github.com/apache/cloudstack/wiki
Security and quality https://github.com/apache/cloudstack/security
Insights https://github.com/apache/cloudstack/pulse
Taskhttps://github.com/apache/cloudstack/issues?q=type:"Task"
Vulnerability in Script.java Command Sanitization Allows Exposure of Plaintext Ceph RBD Storage Credentials in Logshttps://github.com/apache/cloudstack/issues/13309#top
component:logginghttps://github.com/apache/cloudstack/issues?q=state%3Aopen%20label%3A%22component%3Alogging%22
https://github.com/YLChen-007
YLChen-007https://github.com/YLChen-007
on Jun 1, 2026https://github.com/apache/cloudstack/issues/13309#issue-4561099498
verification_test.pyhttps://gist.github.com/YLChen-007/4d8ecc1d6041177bac3d12da5a30becd
control-normal_sanitization.pyhttps://gist.github.com/YLChen-007/756c21564a106bc60c27e521f1b7674f
cloudstack/utils/src/main/java/com/cloud/utils/script/Script.javahttps://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/utils/src/main/java/com/cloud/utils/script/Script.java#L202-L221
348ce95https://github.com/apache/cloudstack/commit/348ce953a99246a756b527994f7745a7be038234
cloudstack/utils/src/main/java/com/cloud/utils/script/Script.javahttps://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/utils/src/main/java/com/cloud/utils/script/Script.java#L166-L186
348ce95https://github.com/apache/cloudstack/commit/348ce953a99246a756b527994f7745a7be038234
component:logginghttps://github.com/apache/cloudstack/issues?q=state%3Aopen%20label%3A%22component%3Alogging%22
Taskhttps://github.com/apache/cloudstack/issues?q=type:"Task"
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width


URLs of crawlers that visited me.