571233 – Security Leak Information: Maven Password‏

Bug 571233 - Security Leak Information: Maven Password‏

Summary: Security Leak Information: Maven Password‏

Status:	CLOSED FIXED

Alias:	None

Product:	Community
Classification:	Eclipse Foundation
Component:	Vulnerability Reports (show other bugs)
Version:	unspecified
Hardware:	PC Windows 10

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Security vulnerabilitied reported against Eclipse projects
QA Contact:

URL:
Whiteboard:
Keywords:	security

Depends on:
Blocks:

Reported:	2021-02-16 15:09 EST by gomer ben
Modified:	2021-03-01 11:48 EST (History)
CC List:	4 users (show)

See Also:

Attachments
password (100.75 KB, image/png) 2021-02-16 15:09 EST, gomer ben	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description gomer ben

2021-02-16 15:09:55 EST

Created attachment 285573 [details]
password

Hello,

In our search we found the following Clear Text InformationLike: UserName/Password/API KEY/SECRET/Tokens.
Please protect your data, Attackers can reuse them for their purpose .

Url : https://github.com/eclipse-cbi/jiro/blob/4549be0cb688ac796d2b6440dadced918eb87c01/instances/ecd.codewind/target/.secrets/maven/settings.xml

https://github.com/eclipse-cbi/jiro/blob/4549be0cb688ac796d2b6440dadced918eb87c01/instances/ecd.codewind/target/.secrets/maven/settings-security.xml




Liked my Bug ? Buy me a coffee (or more likely a Beer X2)
https://www.paypal.com/paypalme/bugbounty1/150USD
https://www.paypal.com/paypalme/bugbounty1/75USD 
https://www.buymeacoffee.com/bugbounty

Help me to continue to protect others Information .

Comment 1 Mikaël Barbero

2021-02-16 15:33:53 EST

Thanks for the report. We are working on it.

Comment 2 Mikaël Barbero

2021-02-16 15:46:38 EST

The credentials have been revoked

Comment 3 Mikaël Barbero

2021-02-16 16:42:34 EST

I've removed the files with the secrets https://github.com/eclipse-cbi/jiro/commit/1b5ab01e10c62373ae7ddd20ec32b7c89926ae1d

We will do a full audit tomorrow to check whether the credentials have been used.

Comment 4 Mikaël Barbero

2021-03-01 11:48:57 EST

We've published a postmortem about the incident https://mikael-barbero.medium.com/credentials-leaked-on-github-4d0658db8080

This conclude the incident. Thanks again for your report.