kanidm-provision Admin Credential Logging Vulnerability

A vulnerability in kanidm-provision versions prior to 1.2.0 allows provisioned admin credentials to be leaked into the system log. This issue arises from a faulty function instrumentation in the optional kanidm patches provided by kanidm-provision. The vulnerability only affects users who utilize these patches and provision their admin or idm_admin account credentials in this manner. Other credentials remain unaffected.

Impact

Exploitation of this vulnerability leads to the unintentional logging of admin credentials, which could be accessed by unauthorized users or processes with the ability to read the system log.

Remediation

Users should recompile kanidm with the latest patchset from tag v1.2.0 or higher. As a temporary workaround, set the log level KANIDM_LOG_LEVEL to any level higher than info, such as warn.