We want to ensure Sensu users are aware of a potential security vulnerability discovered recently. It impacts all Sensu versions earlier than 1.2.1 and its full description is here 1. In a nutshell, if you have passwords in your configuration, there’s a chance they’re not redacted when configuration is printed in Sensu service logs (/var/log/sensu).
For what it’s worth, this behavior of the redact method has been working in this way for 5 years, so we are reasonably confident it hasn’t been a major concern to users. Also remember users would need access to /var/log/sensu in order to view these logs. That said, we want to take this seriously and get the information to you promptly.
All the best,
VP Community, Sensu