This might be an unpopular opinion (I haven’t validated that this report is actually true), but I don’t think this is OK and should still be flagged as a bug. Having access to the application, that doesn’t mean you should be able to retrieve the password to the database. We have a separation of duties policy for sensitive information, and this gives non-privileged users with key information to access the database. Certainly there are other layers of protections around access to that information, but a password being exposed in plain text is not OK.
This only works because of the cookies IMO. If you open a private navigation window and try it you should get something like :
{“success”:false,“messages”:[{“level”:“ERROR”,“show_user”:false,“message”:“org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource”}]}
cleartext db password can indeed be obtained from system config ws, but only if you’re logged in with admin account. This is not actually a security issue, since a user with admin account has full access over db content and structure anyway (including the possibility to manipulate sql).
A future release may add an option to obfuscate/hide this configuration in ws. This would be mostly for aesthetic reasons, since actual security impact of this behavior is negligible.