[CONJ-1325] initial-handshake cleartext password leak - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.3.5, 3.4.3, 2.7.14, 3.5.9
Component/s: security
Labels:
None

Description

mysql_clear_password as the initial-handshake plugin leaks the cleartext password to a MitM under sslMode=verify-full/verify-ca without a pinned certificate.

With verify-full/verify-ca + password + no CA, the connector accepts a self-signed cert at the TLS layer and enforces server identity afterwards via certificate-fingerprint binding. That guard exists on the OK-packet and auth-switch paths but not on the initial-handshake path: when a rogue/MitM server names mysql_clear_password as the initial plugin, HandshakeResponse.encode() checks only that SSL is enabled and sends the password in cleartext before any fingerprint check. The connection is rejected immediately after, but the credential is already disclosed.

Affected: sslMode=verify-full/verify-ca, non-empty password, no serverSslCert/trustStore. Not affected when a certificate is pinned, or sslMode=trust/disable.

Attachments

Activity

People

Assignee:: Diego Dupin

Reporter:: Diego Dupin

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2026-06-16 14:33

Updated:: Yesterday 17:13

Resolved:: 2026-06-16 14:33

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.