The engineering team is currently working with the authors of the requests-oauthlib to improve the security of their debug logging. A pull request has been drafted and discussions are ongoing. See details here: https://github.com/requests/requests-oauthlib/pull/539
No components marked as affected
Further updates will appear here
Identified
The engineering team is currently working with the authors of the requests-oauthlib to improve the security of their debug logging. A pull request has been drafted and discussions are ongoing. See details here: https://github.com/requests/requests-oauthlib/pull/539
Identified
Cognite have identified a security issue in one of the dependencies of the cognite-sdk-python package, namely requests_oauthlib. This issue causes authorization headers to be logged when the library is configured to log at the DEBUG level. We are currently pursuing ways to address this in the SDK. In the meantime we would strongly urge any clients to review their log level settings, and ensure that log statements from requests_oautlib are logged at level INFO or higher.
If you continue using DEBUG-level logging, we recommend limiting access to logs until tokens/credentials have expired.
NOTE: the DEBUG logging for requests_oauthlib is a feature and not considered a security flaw, but Cognite wanted to post this notification to bring awareness to the users of our SDK.