CVE-2020-10750
Description
Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger before version 1.18.1 when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jaeger before 1.18.1 logs Kafka credentials in plaintext, enabling low-privileged container access to leak secrets.
Root
Cause
When using Kafka as a storage backend, Jaeger up to version 1.18.0 wrote the entire producer configuration, including plaintext and Kerberos credentials, into container logs at the default INFO level. The vulnerability specifically occurs in the Initialize method of the Kafka factory (plugin/storage/kafka/factory.go), where logger.Info("Kafka factory", zap.Any("producer builder", f.Builder), ...) logs the Builder object. This object contains the full Kafka configuration, including authentication credentials, because InitFromViper assigns the configuration struct directly to the builder field [1][2].
Attack
Prerequisites
An attacker must have access to the Jaeger container's log file. This could be a low-privileged user within the same pod or anyone with read access to the log stream. No authentication to the Jaeger service itself is required, as the credentials are written out by default during startup [2][3].
Impact
Exploitation reveals the Kafka credentials (plaintext username/password or Kerberos principal/password) to anyone able to view the logs. With these credentials, an attacker could connect directly to the Kafka broker and potentially read or manipulate the tracing data stream, which may contain sensitive application information [1][2].
Mitigation
The issue is fixed in Jaeger version 1.18.1, which modifies the logging to avoid including the credential fields. The fix adds a custom logging encoder that sanitizes the builder configuration before it is logged [4]. Users running a version prior to 1.18.1 with Kafka storage should upgrade immediately.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/jaegertracing/jaegerGo | < 1.18.1 | 1.18.1 |
Affected products
5- osv-coords4 versionspkg:apk/chainguard/jaeger-agentpkg:apk/wolfi/jaeger-agentpkg:bitnami/jaegerpkg:golang/github.com/jaegertracing/jaeger
< 0+ 3 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.18.1
- (no CPE)range: < 1.18.1
- the Jager project/jaegertracing/jaegerv5Range: 1.18.1
Patches
1360c38bec3f9Avoid logging clear text passwords in kafka producer
3 files changed · +56 −2
pkg/kafka/auth/kerberos.go+1 −1 modified@@ -24,7 +24,7 @@ type KerberosConfig struct { Realm string `mapstructure:"realm"` UseKeyTab bool `mapstructure:"use_keytab"` Username string `mapstructure:"username"` - Password string `mapstructure:"password"` + Password string `mapstructure:"password" json:"-"` ConfigPath string `mapstructure:"config_file"` KeyTabPath string `mapstructure:"keytab_file"` }
pkg/kafka/auth/plaintext.go+1 −1 modified@@ -21,7 +21,7 @@ import ( // PlainTextConfig describes the configuration properties needed for SASL/PLAIN with kafka type PlainTextConfig struct { UserName string `mapstructure:"username"` - Password string `mapstructure:"password"` + Password string `mapstructure:"password" json:"-"` } func setPlainTextConfiguration(config *PlainTextConfig, saramaConfig *sarama.Config) {
plugin/storage/kafka/factory_test.go+54 −0 modified@@ -15,6 +15,7 @@ package kafka import ( + "bytes" "errors" "testing" @@ -24,6 +25,7 @@ import ( "github.com/stretchr/testify/require" "github.com/uber/jaeger-lib/metrics" "go.uber.org/zap" + "go.uber.org/zap/zapcore" "github.com/jaegertracing/jaeger/pkg/config" kafkaConfig "github.com/jaegertracing/jaeger/pkg/kafka/producer" @@ -105,6 +107,58 @@ func TestKafkaFactoryMarshallerErr(t *testing.T) { assert.Error(t, f.Initialize(metrics.NullFactory, zap.NewNop())) } +func TestKafkaFactoryDoesNotLogPassword(t *testing.T) { + tests := []struct { + name string + flags []string + }{ + { + name: "plaintext", + flags: []string{ + "--kafka.producer.authentication=plaintext", + "--kafka.producer.plaintext.username=username", + "--kafka.producer.plaintext.password=SECRET", + "--kafka.producer.brokers=localhost:9092", + }, + }, + { + name: "kerberos", + flags: []string{ + "--kafka.producer.authentication=kerberos", + "--kafka.producer.kerberos.username=username", + "--kafka.producer.kerberos.password=SECRET", + "--kafka.producer.brokers=localhost:9092", + }, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + + f := NewFactory() + v, command := config.Viperize(f.AddFlags) + err := command.ParseFlags(test.flags) + require.NoError(t, err) + + f.InitFromViper(v) + + parsedConfig := f.Builder.(*kafkaConfig.Configuration) + f.Builder = &mockProducerBuilder{t: t, Configuration: *parsedConfig} + logbuf := &bytes.Buffer{} + logger := zap.New(zapcore.NewCore( + zapcore.NewJSONEncoder(zap.NewProductionEncoderConfig()), + zapcore.AddSync(logbuf), + zap.NewAtomicLevel(), + )) + err = f.Initialize(metrics.NullFactory, logger) + require.NoError(t, err) + logger.Sync() + + require.NotContains(t, logbuf.String(), "SECRET", "log output must not contain password in clear text") + }) + } +} + func TestInitFromOptions(t *testing.T) { f := NewFactory() o := Options{Topic: "testTopic", Config: kafkaConfig.Configuration{Brokers: []string{"host"}}}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-gh32-pc56-4c96ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-10750ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsaWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/jaegertracing/jaeger/commit/360c38bec3f9718ebba7ddbf0b409b05995f3aceghsaWEB
- github.com/jaegertracing/jaeger/releases/tag/v1.18.1ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.