[jira] [Created] (CASSANDRA-21148) Nodetool history leaks password when using equals sign syntax (-pw=password)

Thu, 29 Jan 2026 19:08:10 -0800 

Cyl created CASSANDRA-21148:
-------------------------------

             Summary: Nodetool history leaks password when using equals sign 
syntax (-pw=password)
                 Key: CASSANDRA-21148
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-21148
             Project: Apache Cassandra
          Issue Type: Bug
          Components: Tool/nodetool
            Reporter: Cyl


{*}Description{*}: The vulnerability exists in the {{nodetool}} command-line 
tool. When users execute commands, {{nodetool}} saves the command history to 
{{{}~/.cassandra/nodetool.history{}}}. Although the code attempts to hide 
passwords using a regular expression, the original regex only matches 
space-separated passwords (e.g., {{{}-pw password{}}}), but fails to handle 
equals-sign-separated passwords (e.g., {{{}-pw=password{}}}).

{*}File{*}: {{src/java/org/apache/cassandra/tools/NodeTool.java}} {*}Method{*}: 
{{printHistory}}

{*}Vulnerable Code{*}:
```java
// Original Regex: Only matches whitespace \s+ after -pw
cmdLine = cmdLine.replaceFirst("(?<=(-pw|--password))\\s+\\S+", " <hidden>");
```
{*}Logic{*}: The regex {{(?<=(-pw|--password))\\s+\\S+}} explicitly requires 
whitespace ({{{}\s+{}}}) after the flag. If a user uses the assignment syntax 
supported by many CLI parsers (including airline used by Cassandra) like 
{{{}-pw=secret{}}}, the regex fails to match, and the password is written to 
the history file in plain text.

*Impact* Sensitive JMX passwords are leaked in plain text in the 
{{~/.cassandra/nodetool.history}} file. While less critical than a public log 
leak, it persists credentials on disk in a readable file that might be backed 
up or viewed by other users with read access to the home directory.

*Reproduction*
 # Build the project.
 # Run nodetool with the equals sign syntax: {{bin/nodetool -pw=secretpassword 
help}}
 # Check the history file: {{cat ~/.cassandra/nodetool.history}}

{*}Observed Result{*}:

 

{{2025-12-04 06:36:10,690: -p 7199 -pw=secretpassword help}}

*Fix* Modify the regular expression to support both space and equals sign 
separators.

{*}Fixed Code{*}:
```java
// New Regex: Matches whitespace \s+ OR equals sign =
cmdLine = cmdLine.replaceFirst("(?<=(-pw|--password))(\\s+|=)\\S+", " 
<hidden>");
```
{*}Environment{*}: Linux, Cassandra trunk



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to