OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.28.0, the JDBC auto-instrumentation may fail to sanitize passwords in SQL CONNECT statements when the password is double-quoted. As a result, clear-text database passwords can be added to trace span attributes and exported to observability backends. This issue has been fixed in version 2.28.0.
Metrics
Affected Vendors & Products
References
History
Thu, 02 Jul 2026 04:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Opentelemetry
Opentelemetry opentelemetry-java-instrumentation |
|
| Vendors & Products |
Opentelemetry
Opentelemetry opentelemetry-java-instrumentation |
Wed, 01 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.28.0, the JDBC auto-instrumentation may fail to sanitize passwords in SQL CONNECT statements when the password is double-quoted. As a result, clear-text database passwords can be added to trace span attributes and exported to observability backends. This issue has been fixed in version 2.28.0. | |
| Title | OpenTelemetry Java Instrumentation: JDBC Auto-Instrumentation Logging Clear-Text Passwords | |
| Weaknesses | CWE-532 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-02T12:23:50.336Z
Reserved: 2026-06-15T22:58:06.563Z
Link: CVE-2026-54704
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-02T15:45:16Z