Couchbase Sync Gateway Cleartext Password Disclosure Vulnerability

A credential disclosure vulnerability has been identified in Couchbase Sync Gateway versions prior to 3.2.6. This issue arises from the unintentional exposure of cleartext passwords in the log files sgcollect_info_options.log and sync_gateway.log. The vulnerability occurs during the log collection process, where the credentials used to initiate the collection are not properly redacted, leading to a potential leakage of sensitive information.

Impact

The vulnerability could allow unauthorized individuals to access cleartext passwords, which could be used to gain administrative privileges on the Couchbase Server.

Reproduction

To reproduce this vulnerability, initiate a log collection process in an affected version of Couchbase Sync Gateway. Once the collection is complete, check the sgcollect_info_options.log and sync_gateway.log files for unredacted cleartext passwords.

Remediation

Users can upgrade to Couchbase Sync Gateway version 3.2.6 or later to address this vulnerability. Additionally, it is recommended to rotate any credentials that were used to initiate log collection during the period when the vulnerability was present.