The RTC password is masked in most places, but not if a command gets executed unsuccessfully. The log message on command-execution failure contains the clear text password.

The log message comes from the JazzClient.popen()

Here is the offending code:
listener.error("Failed to run " + args.toStringWithQuote());

If the user enters incorrect credentials the error message will make that clear (even without the clear text password). But if for example a locking error occurs, the password shouldn't be in clear text in log messages.
Is it possible to mask the password in this situation as well?