[I] [SCM-1028] Vulnerability: Clear text password is logged by JGit provider and by gitexe remoteinfo on a ls-remote failure [maven-scm]

Wed, 11 Jun 2025 21:50:04 -0700 


jira-importer opened a new issue, #1254:
URL: https://github.com/apache/maven-scm/issues/1254

   **[Markus 
Hoffrogge](https://issues.apache.org/jira/secure/ViewProfile.jspa?name=mhoffrog)**
 opened 
**[SCM-1028](https://issues.apache.org/jira/browse/SCM-1028?redirect=false)** 
and commented
   
   **Issue(s):**
   1. {**}JGit provider{**}: If the git password contains special characters 
which are differently encoded by the `URI class` than `{}by 
URLEncode.encode{`}, then the password masking does not become effective and 
the password is logged in clear URI encoded format by the jgit provider.
   2. {**}Gitexe remoteinfo{**}: In case ls-remote is failing, then a 
`ScmException` is being thrown with the fetch URL passed as error message 
containing the URI encoded clear password.
   
   **Root cause(s):**
   1. The URL encoding used for the credentials within fetch and push URL 
differs from the encoding being used for masking the password at 
[JGitUtils.prepareSession(...)](https://github.com/apache/maven-scm/blob/55186fdf42f65fd3a1be07161bc198f092386f77/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-jgit/src/main/java/org/apache/maven/scm/provider/git/jgit/command/JGitUtils.java#L149)
   2. Password is not masked for the exception message passed to the 
ScmException used at 
[GitRemoteInfoCommand.executeRemoteInfoCommand(...)](https://github.com/apache/maven-scm/blob/55186fdf42f65fd3a1be07161bc198f092386f77/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-gitexe/src/main/java/org/apache/maven/scm/provider/git/gitexe/command/remoteinfo/GitRemoteInfoCommand.java#L59)
   
   **Solution:**
   
   [PR #237](https://github.com/apache/maven-scm/pull/237)
   
   
   ---
   
   **Affects:** 2.1.0
   
   **Remote Links:**
   - [GitHub Pull Request #237
   ](https://github.com/apache/maven-scm/pull/237)
   - [GitHub Pull Request #244
   ](https://github.com/apache/maven-scm/pull/244)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to