Headline
CVE-2023-47390: Headscale logs bearer tokens · Issue #1259 · juanfont/headscale
Headscale through 0.22.3 writes bearer tokens to info-level logs.
Bug description
Looking at the headscale logs, it logs this at info level when accessing the HTTP api:
2023-03-11T21:13:56Z INF unary dur=0.815623 md={":authority":"/var/run/headscale.sock","authorization":"Bearer XXX.XXX","content-type":"application/grpc","grpcgateway-accept":"*/*","grpcgateway-authorization":"Bearer XXX.XXX","grpcgateway-user-agent":"python-httpx/0.23.3","user-agent":"grpc-go/1.51.0","x-forwarded-for":"xxxxx","x-forwarded-host":"xxxxxx"} method=ListApiKeys req={} service=headscale.v1.HeadscaleService
This includes the whole bearer token. It would be great if the credentials wouldn’t get logged :)
Related news
GHSA-wp76-cf2j-rqq7: Headscale writes bearer tokens to info-level logs
Headscale through 0.22.3 writes bearer tokens to info-level logs.