Impact
When using the JSON authentication method in the ZAP Advanced scanner the python script configuring the ZAP was logging the credentials (username & password) used. The vulnerability is present in our secureCodeBox scripts, not in ZAP itself. Only the zap-advanced ScanType is affected, zap-baseline-scan, zap-api-scanand zap-full-scan are not affected.
Patches
#1500
Released in v3.15.2
Workarounds
Switch from JSON Authentication.
References
The issue has been present since the introduction of our ZAP Advanced Scripts.
If you are using a log system like ElasticSearch you should search your log history for matching log lines to purge them from the history. The related log lines all start with: HTTP ZAP HTTP JSON Params
Big thanks to @patrykzzz for pointing out the issue and providing a fix 🙌
Impact
When using the JSON authentication method in the ZAP Advanced scanner the python script configuring the ZAP was logging the credentials (username & password) used. The vulnerability is present in our secureCodeBox scripts, not in ZAP itself. Only the
zap-advancedScanType is affected,zap-baseline-scan,zap-api-scanandzap-full-scanare not affected.Patches
#1500
Released in v3.15.2
Workarounds
Switch from JSON Authentication.
References
The issue has been present since the introduction of our ZAP Advanced Scripts.
If you are using a log system like ElasticSearch you should search your log history for matching log lines to purge them from the history. The related log lines all start with:
HTTP ZAP HTTP JSON ParamsBig thanks to @patrykzzz for pointing out the issue and providing a fix 🙌