Details
Description
When a user uploads their public SSH key, Bitbucket will log the submitted data at DEBUG level if the key is invalid. Unfortunately, if a user mistakenly uploads their private key, this will be logged:
username *SECO1Qx158x13421x0 3omfyq 123.45.67.89,12.34.56.78 "POST /plugins/servlet/ssh/account/keys/add HTTP/1.1" c.a.bitbucket.ssh.util.KeyUtils Invalid key: [-----BEGIN RSA PRIVATE KEY----- [...]
Given that many systems (including Atlassian's) run with debug logs enabled, we should not be logging this information.
Attachments
Issue Links
- relates to
-
VULN-1030160 Loading...
-
VULN-1030161 Loading...
-
VULN-1030949 Loading...