If you’re using The Foundry’s Magritte plugin and its osisoft-pi-web-connector integration, and your version is between .15. and .43., your system may be leaking sensitive authentication information via log files. This vulnerability, CVE-2022-27893, makes it easy for attackers or even curious insiders to recover usernames and passwords from simple log access. The bug has been fixed in version .44.. In this article, we’ll walk you through what happened, show you some code, and explain how attackers might exploit this issue. As always, patch as soon as you can.

> Official Advisory:  
> The Foundry Security Advisories  
> NVD CVE Entry

What Is The Foundry Magritte Plugin?

The Foundry is well-known in the visual effects (VFX) and media industries for its pipeline tools. The Magritte plugin is an integration layer, allowing connections to lots of data sources. The osisoft-pi-web-connector brings in process data from PI servers. It's especially handy if you’re mixing VFX with real-world data.

What Is CVE-2022-27893?

CVE-2022-27893 is a flaw where the Magritte plugin’s osisoft-pi-web-connector (from version .15. up to .43.) logs sensitive authentication requests into local files. These logs unintentionally capture authentication payloads, sometimes in plaintext — including passwords and API keys. The logging is verbose and not scrubbed for secrets.

Simply Put

If you set up the connector for a user to access an OSIsoft PI server, anyone with access to the plugin’s logs could find user credentials there.

Here’s what a compromised log file could look like (username and password in request)

2022-07-14 15:23:01,456 [INFO] Sending authentication request: POST /piwebapi/auth
Payload: {'username':'operator1', 'password':'Pa55wrd!'}

Or, in raw file form

[2022-07-14T15:23:01Z] [POST] to /piwebapi/auth with body: user=operator1&pass=Pa55wrd!

If these logs are not protected, any local or remote attacker (w/ log access) can grab credentials and later connect to the real PI server — sometimes with admin privileges.

The Issue: Poor Logging Practices

The actual bug comes from the logging statement in code. Here’s a simple example of what went wrong:

# Vulnerable example from osisoft-pi-web-connector < .44.

def authenticate(user, password):
    logger.info(f"Sending authentication request: user={user}, password={password}")
    # ... actual request sent here

Best practices say you should never log sensitive info. Fixed versions will log only user IDs, or anonymized payloads:

# Safe code in osisoft-pi-web-connector >= .44.

def authenticate(user, password):
    logger.info(f"Sending authentication request for user: {user}")
    # ... actual request sent here

Credentials are entered during setup, or for scheduled refresh.

3. Plugin logs the entire authentication request including the password in plaintext to its logfile.
4. Attacker or malicious insider reads the log file (usually on the same server or wherever logs are stored).
5. Attacker uses harvested credentials to access data, pivot deeper into systems, or escalate privileges.

Code Example: How Logs Get Grabbed

Suppose the log file is writable by a user “render”, and it’s stored as /var/log/magritte/piweb.log:

# One-liner to dump all password attempts from logs
grep -Eo "password[^']*'[^']+'" /var/log/magritte/piweb.log

# Or, find out all PI usernames used:
grep -Eo "user[^']*'[^']+'" /var/log/magritte/piweb.log

How to Fix

Upgrade the connector to .44. or later.  
The fix ensures passwords never hit the log file.

Reference:  
Release Notes osisoft-pi-web-connector

If you can’t upgrade immediately

- Restrict log file access (chmod/chown)

- NVD Entry for CVE-2022-27893
- The Foundry Security Advisory
- GitHub Release v.44.
- OSIsoft PI Web API Overview

Timeline

Published on: 11/04/2022 16:15:00 UTC
Last modified on: 11/14/2022 15:23:00 UTC