Description:

LDAP STS authentication exposes plaintext passwords in error messages when authentication fails. The issue occurs in providers.py where error messages include the full URL containing
the LDAPPassword parameter:

raise ValueError(f"{url} failed with HTTP status code {res.status}")
ValueError: api-dev-objectstore1.xyz.com?Action=AssumeRoleWithLDAPIdentity&Version=2011-06-15&LDAPUsername=asdf&LDAPPassword=asdf failed with HTTP status code 503

The f"{url}" directly exposes the LDAPPassword parameter in plaintext within the error message.

Summary:

Security vulnerability: LDAP passwords are leaked in plaintext through error messages during failed authentication attempts. The LDAPPassword should be obfuscated or removed from
error output to prevent credential exposure in logs and error reports.

Linked PR / Related Issue:

Context (if any):

This affects LDAP STS authentication flows and could lead to password exposure in application logs, monitoring systems, and error tracking tools.

Version:

minio-py: 7.2.16
minio: RELEASE.2025-08-29T21-27-49Z