On Tuesday, February 18, 2025, PG Bug reporting form <
noreply@postgresql.org> wrote:
The following bug has been logged on the website:
Bug reference: 18817
Logged by: Indrajeet Deshmukh
Email address: bkindrajeeth@gmail.com
PostgreSQL version: 15.0
Operating system: Linux
Description:
Namaste Team,
During the integration of PostgreSQL Database v15 logs into a SIEM
solution,I observed that user passwords are logged in plaintext when a user
is created using the database command. This poses a serious security risk as
credentials could be exposed to unauthorized users who have access to the
logs.
Vendor: PostgreSQL
Product: PostgreSQL Database
Version: 15
Severity: High
Issue Type: Security Vulnerability
Steps to Reproduce:
Open the PostgreSQL Database CLI or execute the command via a script.
Run the following command to create a new user:
CREATE USER indrajeet WITH PASSWORD 'indrajeet'
The long-standing position here is that the encrypted password being found in the logs is not a security issue needing fixing. It’s maybe a bit unfortunate that we provide both secure and insecure methods for setting or changing a password but we do. Use the secure methods. Which means compute the encrypted password off-server and send that instead of the clear text version.
David J.
