{ "id": "security/oauth2-client-secret-exposed-in-log", "signature": "OAuth2 client secret exposed in application log: sensitive credentials written to log file", "signature_zh": "OAuth2客户端密钥在应用程序日志中暴露：敏感凭据写入日志文件", "regex": "client_secret|clientSecret|client.*secret.*log|secret.*printed|credential.*exposed", "domain": "security", "category": "config_error", "subcategory": null, "root_cause": "The OAuth2 client secret was inadvertently logged as part of a request or configuration dump, exposing the credential to anyone with access to log files.", "root_cause_type": "generic", "root_cause_zh": "OAuth2客户端密钥作为请求或配置转储的一部分被无意中记录，将凭据暴露给任何有权访问日志文件的人。", "versions": [ { "version": "Spring Boot 3.1", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Log4j 2.20", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Python logging 0.5", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Node.js Winston 3.11", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "Simply rotating the secret without fixing the logging configuration means the new secret will also be logged, perpetuating the exposure.", "fail_rate": 0.6, "condition": "", "sources": [] }, { "action": "", "why_fails": "Adding the secret to a log filter but only for one log level (e.g., ERROR) still exposes it if the application logs at that level, and doesn't cover all loggers.", "fail_rate": 0.35, "condition": "", "sources": [] }, { "action": "", "why_fails": "Some try to mask the secret in logs by truncating it, but if the full secret appears elsewhere (e.g., in a stack trace), the truncation is ineffective.", "fail_rate": 0.25, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Configure a logging filter to redact sensitive fields. For Log4j2, use a RegexFilter: ``", "success_rate": 0.85, "how": "Configure a logging filter to redact sensitive fields. For Log4j2, use a RegexFilter: ``", "condition": "", "sources": [] }, { "action": "Use environment variables or a secret manager (e.g., HashiCorp Vault) to inject the secret at runtime, and ensure the application never logs the raw value. In Spring Boot: `@Value(\"${client.secret}\")` and avoid printing it.", "success_rate": 0.9, "how": "Use environment variables or a secret manager (e.g., HashiCorp Vault) to inject the secret at runtime, and ensure the application never logs the raw value. In Spring Boot: `@Value(\"${client.secret}\")` and avoid printing it.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Configure a logging filter to redact sensitive fields. For Log4j2, use a RegexFilter: ``", "Use environment variables or a secret manager (e.g., HashiCorp Vault) to inject the secret at runtime, and ensure the application never logs the raw value. In Spring Boot: `@Value(\"${client.secret}\")` and avoid printing it." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://logging.apache.org/log4j/2.x/manual/filters.html", "official_doc_section": null, "error_code": "SEC-2001", "verification_tier": "ai_generated", "confidence": 0.86, "fix_success_rate": 0.88, "resolvable": "true", "first_seen": "2024-03-01", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }