Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 7.6.21, 7.17.14, 7.21.8, 8.3.4, 8.4.3, 8.5.2, 8.6.2, 8.7.0
Affects Version/s: 7.6.0
Component/s: SSH
Labels:

Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

When a user uploads their public SSH key, Bitbucket will log the submitted data at DEBUG level if the key is invalid. Unfortunately, if a user mistakenly uploads their private key, this will be logged:

username *SECO1Qx158x13421x0 3omfyq 123.45.67.89,12.34.56.78 "POST /plugins/servlet/ssh/account/keys/add HTTP/1.1" c.a.bitbucket.ssh.util.KeyUtils Invalid key: [-----BEGIN RSA PRIVATE KEY-----
[...]

Given that many systems (including Atlassian's) run with debug logs enabled, we should not be logging this information.

Attachments

Issue Links

relates to: VULN-1030160 Loading...; VULN-1030161 Loading...; VULN-1030949 Loading...

Activity

People

Assignee:: Brent P

Reporter:: Brent P

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 05/Jan/2023 4:20 AM

Updated:: 10/Jan/2023 1:50 AM

Resolved:: 10/Jan/2023 1:01 AM