CVE-2025-54876

Vulnerability

Overview CVE-2025-54876 concerns the Janssen Project, an open-source identity and access management (IAM) platform. In versions 1.9.0 and below, the command‑line interface (jans‑cli‑tui) writes passwords and client secrets as plaintext into a local log file (cli_cmd.log). The root cause is that the logging functions did not redact sensitive fields before writing command arguments to disk [1][2].

Exploitation and

Prerequisites The vulnerability is local in nature; an attacker who gains read access to the log file on the system where the CLI is run can retrieve the stored credentials. No authentication to the Janssen server is required for this access—only file‑system read privileges on the machine hosting the CLI tool [1]. The issue is exposed when administrative commands are executed via the CLI, causing passwords to appear in the log [3].

Impact

Successful exploitation allows a local attacker to obtain plaintext passwords and client secrets. These credentials could then be used to gain unauthorized administrative privileges within the Janssen IAM environment, potentially leading to further compromise of identity and access management operations [1][4].

Mitigation

The Janssen Project has addressed the issue in a nightly prerelease build. The fix, implemented in pull request #11903, modifies the logging routines to mask sensitive fields (userPassword and clientSecret) with asterisks before writing to the log file [3][4]. Users are advised to upgrade to the latest prerelease or apply the patch manually. Administrators should also delete any existing cli_cmd.log files that may contain plaintext credentials [1].