GHSA-v75g-77vf-6jjq: 
Java vulnerability analysis and mitigation

A sensitive information exposure vulnerability was identified in Para Server (com.erudika:para-server) affecting versions prior to 1.50.8. The vulnerability, tracked as GHSA-v75g-77vf-6jjq, was discovered and published on May 30, 2025. This security issue is classified as CWE-532 (Insertion of Sensitive Information into Log File) and received a CVSS score of 7.5 (High) (GitHub Advisory).

The vulnerability exists in the HealthUtils.java file of Para Server v1.50.6, specifically in the logging functionality during server initialization. When a configuration file write operation fails, the system logs both the access key and secret key credentials in plaintext through a logger.info() statement. The vulnerability has been assigned a CVSS vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating local access vector, low attack complexity, no privileges required, and high confidentiality impact (GitHub Advisory).

The vulnerability could lead to the exposure of sensitive root application credentials in log files. These credentials, including both access and secret keys, could be accessed by unauthorized users who have access to the system logs, potentially compromising the security of the Para Server installation (GitHub Advisory).

The vulnerability has been patched in version 1.50.8 of Para Server. The fix involves removing the logging of the root application secret while maintaining the logging of the access key for necessary debugging purposes (Para Commit).