Nextcloud logs ldap passwords
Low
Vulnerability Details
When the ldap server is (temporarily) unavailable, data like the attached ends up in log files. I've replaced usernames with `XXX_USERn_XXX` and passwords with `XXX_PASSn_XXX`. It seems that at least the following are missing from `$methodsWithSensitiveParameters` in `lib/private/Log.php`:
- `bind`
- `areCredentialsValid`
- `invokeLDAPMethod`
- `checkPasswordNoLogging`
Actions
View on HackerOneReport Stats
- Report ID: 264426
- State: Closed
- Substate: resolved
- Upvotes: 2