PT-2026-32130 · Pypi · Openssl-Encrypt
Published
2026-04-01
·
Updated
2026-04-01
CVSS v4.0
6.6
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U |
Summary
The
/ready endpoint in openssl encrypt server/server.py at lines 159-175 catches database errors and returns the full exception string in the response.Affected Code
python
except Exception as e:
return {"status": "not ready", "reason": str(e)}Impact
Database exception messages can leak:
- Database hostnames and IP addresses
- Connection parameters and port numbers
- Driver version information
- Potentially database credentials if included in connection string errors
This information is available to unauthenticated callers.
Recommended Fix
- Return a generic error message:
{"status": "not ready", "reason": "database unavailable"} - Log the full exception server-side for debugging
Fix
Fixed in commit
7aa8787 on branch releases/1.4.x — replaced str(e) with generic "database check failed" message; full exception logged server-side at WARNING level.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openssl-Encrypt