You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When registering and deregistering an agent with a service principal (--auth SP) the appId, tenantId and clientsecret values are all written to the agent registration log in cleartext. When comparing this with the way that PAT´s are masked in the logs this looks like a bug and I would consider this as a security risk since having all three means a user can act as that SP and do whatever the SP is permitted, not just in Azure DevOps but everywhere in the tenant. In my mind this is as big of a risk as storing AD user passwords in clear text on disk.
Versions
Azure DevOps Agent version: 3.240.1
RuntimeInformation: Microsoft Windows 10.0.20348
Environment type (Please select at least one enviroment where you face this issue)
What happened?
When registering and deregistering an agent with a service principal (--auth SP) the appId, tenantId and clientsecret values are all written to the agent registration log in cleartext. When comparing this with the way that PAT´s are masked in the logs this looks like a bug and I would consider this as a security risk since having all three means a user can act as that SP and do whatever the SP is permitted, not just in Azure DevOps but everywhere in the tenant. In my mind this is as big of a risk as storing AD user passwords in clear text on disk.
Versions
Azure DevOps Agent version: 3.240.1
RuntimeInformation: Microsoft Windows 10.0.20348
Environment type (Please select at least one enviroment where you face this issue)
Azure DevOps Server type
dev.azure.com (formerly visualstudio.com)
Azure DevOps Server Version (if applicable)
No response
Operation system
Windows Server 2022
Version controll system
No response
Relevant log output
The text was updated successfully, but these errors were encountered: