VAION-262: plaintext password in audit log when user changes their password

Release Date

11th March 2020.


When a manually added user changes their password in �My profile�, their old password is shown in plaintext in the audit log.

Affected Products

  • vcore:
    • All versions up to and including 1.4.2.
    • All 1.5 versions up to and including 1.5.1.

Unaffected Products

  • vcore:
    • All 1.4 versions from 1.4.3.
    • All versions from 1.5.2.
  • vcam: All versions.
  • vcloud: All versions.


This issue has been fixed in vcore version 1.4.3 and 1.5.2.

We recommend that all vcore installations running an affected version upgrade to the latest release as soon as possible.

Vulnerability Information


This vulnerability can be mitigated by deleting the affected logs. Do this by connecting to the vcore SSH console and executing the following command (note that this will delete all logs):

vplat# advanced clear-logs


Issue found internally by Vaion.

Disclosure Timeline

  • 09/03/2020 Issue found internally by Vaion
  • 09/03/2020 Fix identified
  • 11/03/2020 Patched vcore released
  • 11/03/2020 Vulnerability publicly disclosed