Himmelblau Credential Leakage Vulnerability in Debug Logs
Vulnerability
A vulnerability exists in Himmelblau versions 0.7.0 through 0.8.2, allowing for credential leakage in debug logs. When debug logging is activated, user access tokens and Kerberos Ticket-Granting Tickets (TGTs) are unintentionally recorded. This exposure of sensitive authentication data, particularly in environments with debug logging enabled, poses a significant risk to credential security.
Impact
Enabling debug logging can lead to the unintentional disclosure of user access tokens and Kerberos TGTs, both of which are sensitive authentication credentials.
Remediation
Users can upgrade to Himmelblau versions 0.7.15 or 0.8.3, both of which address this vulnerability. For those unable to upgrade, debug logging can be disabled by setting the 'debug' option to 'false' in the Himmelblau configuration file, and avoiding the '-d' flag when starting the 'himmelblaud' daemon. Additionally, the 'logon_script' option can be disabled in the configuration file.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.