Summary

Setting root level DEBUG can expose login information (username/pw) when JIRA is connected to Crowd for user management, as it outputs the REST POST contents that are transmitted through the HttpClient.

Environment

Crowd integrated with JIRA for user management.

Steps to Reproduce

1. Integrate JIRA with Crowd for user management
2. Within JIRA's administration panel, set DEBUG logging on the 'Default' level
3. Log into JIRA as any Crowd user (for example: testuser / testpw)
4. Check JIRA's application logs (atlassian-jira.log) or tomcat server logs (catalina.out)
   The above log files contains both the testuser and testpw in plain text.

Expected Results

The password details are obfuscated in the logging.

Actual Results

Note that it shows the password inputted by the user, which may or may not be the real pw, but in most cases users will have inputted the real password.

Workaround

Modify the log4j.properties file and adding:

log4j.logger.httpclient.wire=WARN

• This will not prevent this exposure, but simply adds another layer before the exposure occurs.

Notes

This is not specific to just JIRA/Crowd integration. It affects all of Atlassian's applications that integrate with Crowd.

Why this is a problem

• It is common for Crowd to be integrated with LDAP or Google Applications
• Local Atlassian application administrator only has access to JIRA and the server hosting JIRA
  • This administrator may not have access to any other system, such as LDAP, database, etc.
• If DEBUG logging on the 'Default' level is set and a high level executive logs into JIRA, their password for LDAP could be captured
• The local Atlassian admin can now gain access to the company's systems beyond their privileges.