René's URL Explorer Experiment


Title: Apache CloudStack `ApiServlet` logs duplicate sensitive query parameter values in plaintext before authentication · Issue #13311 · apache/cloudstack · GitHub

Open Graph Title: Apache CloudStack `ApiServlet` logs duplicate sensitive query parameter values in plaintext before authentication · Issue #13311 · apache/cloudstack

X Title: Apache CloudStack `ApiServlet` logs duplicate sensitive query parameter values in plaintext before authentication · Issue #13311 · apache/cloudstack

Description: Advisory Details Title: Apache CloudStack ApiServlet logs duplicate sensitive query parameter values in plaintext before authentication Description: Summary Apache CloudStack exposes a sensitive information disclosure issue in the /clien...

Open Graph Description: Advisory Details Title: Apache CloudStack ApiServlet logs duplicate sensitive query parameter values in plaintext before authentication Description: Summary Apache CloudStack exposes a sensitive in...

X Description: Advisory Details Title: Apache CloudStack ApiServlet logs duplicate sensitive query parameter values in plaintext before authentication Description: Summary Apache CloudStack exposes a sensitive in...

Opengraph URL: https://github.com/apache/cloudstack/issues/13311

X: @github

direct link

Domain: github.com


Hey, it has json ld scripts:
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Apache CloudStack `ApiServlet` logs duplicate sensitive query parameter values in plaintext before authentication","articleBody":"### Advisory Details\n\n**Title**: Apache CloudStack `ApiServlet` logs duplicate sensitive query parameter values in plaintext before authentication\n\n**Description**:\n\n### Summary\n\nApache CloudStack exposes a sensitive information disclosure issue in the `/client/api` request entrypoint. When a request contains duplicate query parameters, `com.cloud.api.ApiServlet` emits a WARN log stating that only the last value will be respected. For sensitive parameters such as `password`, the servlet formats the warning with `Arrays.toString(v)` and writes the raw values to the log before authentication, request verification, or command dispatch occurs. A remote caller can therefore cause plaintext credential material to be recorded in management logs even when the HTTP request itself fails with `401 Unauthorized`.\n\n### Details\n\nThe issue is in `server/src/main/java/com/cloud/api/ApiServlet.java`. Inside `processRequestInContext`, CloudStack reads the servlet parameter map and immediately passes it to `checkSingleQueryParameterValue(reqParams)`. That helper logs duplicate values without masking sensitive keys.\n\n```java\nprivate void checkSingleQueryParameterValue(Map\u003cString, String[]\u003e params) {\n    params.forEach((k, v) -\u003e {\n        if (v.length \u003e 1) {\n            String message = String.format(\"Query parameter '%s' has multiple values %s. Only the last value will be respected.\" +\n                \"It is advised to pass only a single parameter\", k, Arrays.toString(v));\n            LOGGER.warn(message);\n        }\n    });\n}\n```\n\nThe vulnerable control flow is:\n\n1. External caller reaches `/client/api` through Jetty.\n2. `ApiServlet.processRequestInContext(...)` calls `req.getParameterMap()`.\n3. `checkSingleQueryParameterValue(reqParams)` executes before `verifyRequest(...)`.\n4. `LOGGER.warn(...)` writes duplicate sensitive values in plaintext.\n5. Only after that does the request continue into UTF-8 fixup, authentication, and API dispatch.\n\nThis is why the issue is reachable from an external network client without valid credentials. In the manual and automated verification environment, the request returned `401`, but the warning log still contained both password values.\n\nThe servlet is the standard API front door defined in `client/src/main/webapp/WEB-INF/web.xml`:\n\n```xml\n\u003cservlet\u003e\n    \u003cservlet-name\u003eapiServlet\u003c/servlet-name\u003e\n    \u003cservlet-class\u003ecom.cloud.api.ApiServlet\u003c/servlet-class\u003e\n    \u003cload-on-startup\u003e5\u003c/load-on-startup\u003e\n\u003c/servlet\u003e\n\u003cservlet-mapping\u003e\n     \u003cservlet-name\u003eapiServlet\u003c/servlet-name\u003e\n     \u003curl-pattern\u003e/api/*\u003c/url-pattern\u003e\n\u003c/servlet-mapping\u003e\n```\n\n### PoC\n\n#### Prerequisites\n\n- A checkout of Apache CloudStack on the affected branch or release.\n- Java, Maven, and Python 3 installed locally.\n- Network access to fetch Maven dependencies.\n- The PoC uses a minimal Jetty harness because a full current-branch management-server E2E startup was not stable in this lab. The vulnerable code path itself is the real `ApiServlet` from the target project.\n\n#### Reproduction Steps\n\n1. Download the harness launcher from: [start_harness.sh](https://gist.github.com/YLChen-007/3f72b3b782f801c962f85131131c33fc)\n2. Download the minimal servlet harness from: [ApiServletHarnessServer.java](https://gist.github.com/YLChen-007/911719873d1971e07abaf1cd36e53878)\n3. Download the Log4j harness config from: [log4j2-harness.xml](https://gist.github.com/YLChen-007/983e67bf057554fc92f87fc4a59c96d8)\n4. Download the automation wrapper from: [verification_test.py](https://gist.github.com/YLChen-007/545bad01b0931a4434453e53180aaafe)\n5. Optionally download the control case from: [control-normal_behavior.py](https://gist.github.com/YLChen-007/f1a14cba0f26748d94ad818570ec4ff4)\n6. Place the files in one working directory with `ApiServletHarnessServer.java` under `src/`.\n7. Start the PoC harness:\n   `bash start_harness.sh --port 18085`\n8. In another terminal, send a duplicate sensitive parameter request:\n   `curl -i 'http://127.0.0.1:18085/client/api?command=listCapabilities\u0026response=json\u0026password=MANUAL_SECRET_ONE\u0026password=MANUAL_SECRET_TWO'`\n9. Observe the harness console output. The request may return `401 Unauthorized`, but the server log will contain both password values in the WARN line.\n10. For an automated check, run:\n   `python3 verification_test.py`\n\n### Log of Evidence\n\nManual trigger evidence captured during verification:\n\n```text\nHTTP/1.1 401 Unauthorized\n...\n{\"error\":\"stubbed after duplicate-parameter check\"}\n\nWARN com.cloud.api.ApiServlet - Query parameter 'password' has multiple values [MANUAL_SECRET_ONE, MANUAL_SECRET_TWO]. Only the last value will be respected.It is advised to pass only a single parameter\n```\n\nAutomated verification evidence:\n\n```text\n[MODE] Integration-Test\n[OBSERVED_WARNING] WARN com.cloud.api.ApiServlet - Query parameter 'password' has multiple values [EXP_SECRET_ALPHA_8852, EXP_SECRET_BETA_8852]. Only the last value will be respected.It is advised to pass only a single parameter\n[OBSERVED_LEAK_ALPHA] True\n[OBSERVED_LEAK_BETA] True\n[CLASSIFICATION] DEFECT-CONFIRMED-WITH-LIMITATIONS\n```\n\nControl evidence:\n\n```text\n[MODE] Integration-Test Control\n[OBSERVED_WARNING] WARN com.cloud.api.ApiServlet - Query parameter 'username' has multiple values [CONTROL_USER_ALPHA_8852, CONTROL_USER_BETA_8852]. Only the last value will be respected.It is advised to pass only a single parameter\n[OBSERVED_PASSWORD_SECRET] False\n[CONTROL] SUCCESS\n```\n\n### Impact\n\nThis is an information disclosure vulnerability in the API control plane. Any actor who can send requests to `/client/api` can force plaintext sensitive values into management logs simply by repeating a sensitive parameter name. The immediate impact is credential leakage to anyone with access to local logs, centralized log collection, support bundles, or backups. Depending on the leaked parameter, this can expose administrator passwords, API secrets, session tokens, or other credentials that can later be reused against CloudStack.\n\n### Affected products\n\n- **Ecosystem**: maven\n- **Package name**: org.apache.cloudstack:cloudstack\n- **Affected versions**: \u003c= 4.22.1.0\n- **Patched versions**: \u003cNone\u003e\n\n### Severity\n\n- **Severity**: Medium\n- **Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n\n### Weaknesses\n\n- **CWE**: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/server/src/main/java/com/cloud/api/ApiServlet.java#L199-L204](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/server/src/main/java/com/cloud/api/ApiServlet.java#L199-L204) | `checkSingleQueryParameterValue` formats duplicate query parameter values with `Arrays.toString(v)` and writes them directly with `LOGGER.warn(...)` without any sensitive-key masking. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/server/src/main/java/com/cloud/api/ApiServlet.java#L229-L230](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/server/src/main/java/com/cloud/api/ApiServlet.java#L229-L230) | `processRequestInContext` invokes the duplicate-parameter warning path immediately after `req.getParameterMap()`, before authentication and request verification. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/client/src/main/webapp/WEB-INF/web.xml#L45-L60](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/client/src/main/webapp/WEB-INF/web.xml#L45-L60) | The standard `/client/api` servlet mapping shows this vulnerable code is on the default external HTTP API path. |","author":{"url":"https://github.com/YLChen-007","@type":"Person","name":"YLChen-007"},"datePublished":"2026-06-01T07:33:22.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":2},"url":"https://github.com/13311/cloudstack/issues/13311"}

route-pattern/_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format)
route-controllervoltron_issues_fragments
route-actionissue_layout
fetch-noncev2:a47b2519-f82b-0492-d34b-2f0a74f00b71
current-catalog-service-hash81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114
request-idDAEA:204C81:10D25C4:1682670:6A4D8D2E
html-safe-nonce0a524cd7bf607623f7b1a87697433004eac093eb8abf0305d899bbce3123f16f
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJEQUVBOjIwNEM4MToxMEQyNUM0OjE2ODI2NzA6NkE0RDhEMkUiLCJ2aXNpdG9yX2lkIjoiMjc2MTgzNzExMTgzMzEwMzY2MiIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9
visitor-hmaca1efe1e455886e3c6dba4f1dfb81bf89318bbfc5acf2ac152aac5b1eb853c35b
hovercard-subject-tagissue:4561210248
github-keyboard-shortcutsrepository,issues,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///voltron/issues_fragments/issue_layout
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13311/issue_layout
twitter:imagehttps://opengraph.githubassets.com/89ad9ce9b4f603d51925082855768641e3223a65854f95d802315fbec0faa91c/apache/cloudstack/issues/13311
twitter:cardsummary_large_image
og:imagehttps://opengraph.githubassets.com/89ad9ce9b4f603d51925082855768641e3223a65854f95d802315fbec0faa91c/apache/cloudstack/issues/13311
og:image:altAdvisory Details Title: Apache CloudStack ApiServlet logs duplicate sensitive query parameter values in plaintext before authentication Description: Summary Apache CloudStack exposes a sensitive in...
og:image:width1200
og:image:height600
og:site_nameGitHub
og:typeobject
og:author:usernameYLChen-007
hostnamegithub.com
expected-hostnamegithub.com
None9f8758a3953dfe943439713a6fa4f90d542a3431f10e861ca03dd7f39009f320
turbo-cache-controlno-preview
go-importgithub.com/apache/cloudstack git https://github.com/apache/cloudstack.git
octolytics-dimension-user_id47359
octolytics-dimension-user_loginapache
octolytics-dimension-repository_id9759448
octolytics-dimension-repository_nwoapache/cloudstack
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id9759448
octolytics-dimension-repository_network_root_nwoapache/cloudstack
turbo-body-classeslogged-out env-production page-responsive
disable-turbofalse
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
releasebffd5484f01713a661b03469b77678f72b6574ed
ui-targetfull
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/apache/cloudstack/issues/13311#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fissues%2F13311
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub Copilot appDirect agents from issue to mergehttps://github.com/features/ai/github-app
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
View all resourceshttps://github.com/resources
GitHub SponsorsFund open source developershttps://github.com/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/accelerator
GitHub Starshttps://stars.github.com
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fissues%2F13311
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fvoltron%2Fissues_fragments%2Fissue_layout&source=header-repo&source_repo=apache%2Fcloudstack
Reloadhttps://github.com/apache/cloudstack/issues/13311
Reloadhttps://github.com/apache/cloudstack/issues/13311
Reloadhttps://github.com/apache/cloudstack/issues/13311
Please reload this pagehttps://github.com/apache/cloudstack/issues/13311
apache https://github.com/apache
cloudstackhttps://github.com/apache/cloudstack
Notifications https://github.com/login?return_to=%2Fapache%2Fcloudstack
Fork 1.3k https://github.com/login?return_to=%2Fapache%2Fcloudstack
Star 3k https://github.com/login?return_to=%2Fapache%2Fcloudstack
Code https://github.com/apache/cloudstack
Issues 536 https://github.com/apache/cloudstack/issues
Pull requests 268 https://github.com/apache/cloudstack/pulls
Discussions https://github.com/apache/cloudstack/discussions
Actions https://github.com/apache/cloudstack/actions
Projects https://github.com/apache/cloudstack/projects
Wiki https://github.com/apache/cloudstack/wiki
Security and quality 0 https://github.com/apache/cloudstack/security
Insights https://github.com/apache/cloudstack/pulse
Code https://github.com/apache/cloudstack
Issues https://github.com/apache/cloudstack/issues
Pull requests https://github.com/apache/cloudstack/pulls
Discussions https://github.com/apache/cloudstack/discussions
Actions https://github.com/apache/cloudstack/actions
Projects https://github.com/apache/cloudstack/projects
Wiki https://github.com/apache/cloudstack/wiki
Security and quality https://github.com/apache/cloudstack/security
Insights https://github.com/apache/cloudstack/pulse
Taskhttps://github.com/apache/cloudstack/issues?q=type:"Task"
Apache CloudStack ApiServlet logs duplicate sensitive query parameter values in plaintext before authenticationhttps://github.com/apache/cloudstack/issues/13311#top
https://github.com/dheeraj12347
component:logginghttps://github.com/apache/cloudstack/issues?q=state%3Aopen%20label%3A%22component%3Alogging%22
https://github.com/YLChen-007
YLChen-007https://github.com/YLChen-007
on Jun 1, 2026https://github.com/apache/cloudstack/issues/13311#issue-4561210248
start_harness.shhttps://gist.github.com/YLChen-007/3f72b3b782f801c962f85131131c33fc
ApiServletHarnessServer.javahttps://gist.github.com/YLChen-007/911719873d1971e07abaf1cd36e53878
log4j2-harness.xmlhttps://gist.github.com/YLChen-007/983e67bf057554fc92f87fc4a59c96d8
verification_test.pyhttps://gist.github.com/YLChen-007/545bad01b0931a4434453e53180aaafe
control-normal_behavior.pyhttps://gist.github.com/YLChen-007/f1a14cba0f26748d94ad818570ec4ff4
cloudstack/server/src/main/java/com/cloud/api/ApiServlet.javahttps://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/server/src/main/java/com/cloud/api/ApiServlet.java#L199-L204
348ce95https://github.com/apache/cloudstack/commit/348ce953a99246a756b527994f7745a7be038234
cloudstack/server/src/main/java/com/cloud/api/ApiServlet.javahttps://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/server/src/main/java/com/cloud/api/ApiServlet.java#L229-L230
348ce95https://github.com/apache/cloudstack/commit/348ce953a99246a756b527994f7745a7be038234
cloudstack/client/src/main/webapp/WEB-INF/web.xmlhttps://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/client/src/main/webapp/WEB-INF/web.xml#L45-L60
348ce95https://github.com/apache/cloudstack/commit/348ce953a99246a756b527994f7745a7be038234
dheeraj12347https://github.com/dheeraj12347
component:logginghttps://github.com/apache/cloudstack/issues?q=state%3Aopen%20label%3A%22component%3Alogging%22
Taskhttps://github.com/apache/cloudstack/issues?q=type:"Task"
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width


URLs of crawlers that visited me.