CWE ID: CWE-532 (Insertion of Sensitive Information into Log File)
CVSS: 6.2 (Medium)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Component: Facebook Authentication Logging
Version: Para v1.50.6
File Path: para-1.50.6/para-server/src/main/java/com/erudika/para/server/security/filters/FacebookAuthFilter.java
Vulnerable Line(s): Line 184 (logger.warn(...) with raw access token)
Technical Details:
The vulnerability is located in FacebookAuthFilter.java, where a failed request to Facebook’s user profile endpoint triggers the following log statement:
logger.warn("Facebook auth request failed: GET " + PROFILE_URL + accessToken, e);`Here, PROFILE_URL is a constant:
private static final String PROFILE_URL = "https://graph.facebook.com/me?fields=name,email,picture.width(400).type(square).height(400)&access_token=";
This results in the full request URL being logged, including the user's access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure.
References
CWE ID: CWE-532 (Insertion of Sensitive Information into Log File)
CVSS: 6.2 (Medium)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Component: Facebook Authentication Logging
Version: Para v1.50.6
File Path: para-1.50.6/para-server/src/main/java/com/erudika/para/server/security/filters/FacebookAuthFilter.java
Vulnerable Line(s): Line 184 (logger.warn(...) with raw access token)
Technical Details:
The vulnerability is located in FacebookAuthFilter.java, where a failed request to Facebook’s user profile endpoint triggers the following log statement:
Here,
PROFILE_URLis a constant:This results in the full request URL being logged, including the user's access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure.
References