PlaciPy Sensitive Data Exposure Vulnerability in Logging

A vulnerability in PlaciPy version 1.0.0 allows for the exposure of highly sensitive data through unredacted console logs. This issue affects multiple components of the application, including authentication middleware, student services, and routing for student submissions. The logged information includes JWT access tokens, plaintext passwords, personal identifiable information (PII) of students, and details related to assessments. Such logs are often centralized in logging systems like CloudWatch or ELK, further increasing the risk of data exposure.

Impact

Exploitation of this vulnerability leads to the unauthorized disclosure of sensitive information, including authentication tokens and passwords, student PII, and assessment-related data. This could result in session hijacking and violations of privacy regulations such as GDPR and FERPA.

Remediation

To address this vulnerability, all sensitive logging should be removed. Implement structured logging that includes redaction of sensitive information, mask secrets and PII before logging, and restrict detailed logging to development environments only. Additionally, enforce controls on log retention and access.