logo

Database

Technical information leak In openssl-encrypt

Description

openssl-encrypt's readiness endpoint leaks database error details to unauthenticated callers

Summary

The /ready endpoint in openssl_encrypt_server/server.py at lines 159-175 catches database errors and returns the full exception string in the response.

Affected Code

except Exception as e:
    return {"status": "not_ready", "reason": str(e)}

Impact

Database exception messages can leak:

    Database hostnames and IP addresses

    Connection parameters and port numbers

    Driver version information

    Potentially database credentials if included in connection string errors

This information is available to unauthenticated callers.

Recommended Fix

    Return a generic error message: {"status": "not_ready", "reason": "database unavailable"}

    Log the full exception server-side for debugging

Fix

Fixed in commit 7aa8787 on branch releases/1.4.x — replaced str(e) with generic "database check failed" message; full exception logged server-side at WARNING level.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-2vhw-q7vh-7xv22. GCVE-GHSA-2vhw-q7vh-7xv2

References

1. https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-2vhw-q7vh-7xv22. https://github.com/jahlives/openssl_encrypt/commit/7aa8787f4de2e9a23f58fca067bb16c4c69d28bb

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.