request #41870 Redis password is dumped into the generated troubleshooting archives

Infos

Artifact ID#41870

Submitted byThomas Gerbet (tgerbet)

Last Modified On2025-03-04 17:38

Submitted on2025-02-25 14:14

Rank43538

Details

Summary *

Redis password is dumped into the generated troubleshooting archives

Original Submission

The password to connect the Redis instance is not purged from the archive generated with tuleap collect-system-data.

Impact

Password to connect Redis instance is leaked in debug archives that is likely to be used by support teams that should not have access to it.

CVSSv3.1 score: 5.3 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)

References

CWE 538
CVE-2025-27150

CategoryOther

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2025-02-25

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #41091	Tuleap	Releases	16.5	Delivered	2025-02-27 11:44	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #41870

Git commit

tuleap/tuleap/stable

fix: request #41870 Redis password is dumped into the generated troubleshooting archives a6702622a8

Thomas Gerbet (tgerbet) , 2025-02-25 14:14

Merge commit 'refs/changes/89/33589/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD f6e85eaa60

Marie Ange Garnier (marieange) , 2025-02-25 15:14

Show items referenced by request #41870

Referenced by request #41870

Artifact Tracker v5

rel #41091 16.5

Git commit

tuleap/tuleap/stable

fix: request #41870 Redis password is dumped into the generated troubleshooting archives a6702622a8

Thomas Gerbet (tgerbet) , 2025-02-25 14:14

Other

gerrit #33589

Follow-ups

Thomas Gerbet (tgerbet)

2025-03-04 17:38

Public disclosure.

Thomas Gerbet (tgerbet)

2025-02-26 09:33

CVE-2025-27150 has been assigned to this issue.

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Marie Ange Garnier (marieange)

2025-02-25 15:32

Connected artifacts
- Added Fixed in: rel #41091

Tracker Workflow Manager (forge__tracker_workflow_manager)

2025-02-25 15:14

request fixed by @tgerbet with git #tuleap/stable/a6702622a8db969a17522b8fac0774afdb1c916f.

Status changed from Under review to Closed
Close date set to 2025-02-25

Thomas Gerbet (tgerbet)

2025-02-25 14:20

See gerrit #33589.

Status changed from Under implementation to Under review