Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1739 vulnerabilities reference this CWE, most recent first.

GHSA-8CM5-JFJ2-26Q7

Vulnerability from github – Published: 2024-05-29 15:25 – Updated: 2024-05-31 20:44
VLAI
Summary
Fides Webserver Logs Hosted Database Password Partial Exposure Vulnerability
Details

The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as @ and $, webserver startup fails and the part of the password following the special character is exposed in webserver error logs.

This is caused by improper escaping of the SQLAlchemy password string, see here and here for more info.

Impact

Partial exposure of hosted database password in webserver logs

Patches

The vulnerability has been patched in Fides version 2.37.0. Users are advised to upgrade to this version or later to secure their systems against this threat.

Workarounds

There are no workarounds.

Proof of Concept

  1. Create a hosted PostgreSQL database for Fides with a password including @ or $ e.g. p@ssword
  2. Run Fides and observe failure, sample log attached
fides  | 2024-02-28 14:27:52.609 | ERROR    | fides.api.db.database:configure_db:117 - Unable to configure database: sqlalchemy.exc.OperationalError: (psycopg2.OperationalError) could not translate host name "ssword@fides-db" to address: Name or service not known
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ethyca-fides"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.37.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-34715"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-29T15:25:51Z",
    "nvd_published_at": "2024-05-29T17:16:20Z",
    "severity": "LOW"
  },
  "details": "The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs.\n\nThis is caused by improper escaping of the SQLAlchemy password string, see [here](https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords) and [here](https://github.com/sqlalchemy/sqlalchemy/discussions/6615) for more info.\n\n### Impact\nPartial exposure of hosted database password in webserver logs\n\n### Patches\nThe vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat.\n\n### Workarounds\nThere are no workarounds.\n\n### Proof of Concept\n1. Create a hosted PostgreSQL database for Fides with a password including `@` or `$` e.g. `p@ssword`\n2. Run Fides and observe failure, sample log attached\n\n```\nfides  | 2024-02-28 14:27:52.609 | ERROR    | fides.api.db.database:configure_db:117 - Unable to configure database: sqlalchemy.exc.OperationalError: (psycopg2.OperationalError) could not translate host name \"ssword@fides-db\" to address: Name or service not known\n```",
  "id": "GHSA-8cm5-jfj2-26q7",
  "modified": "2024-05-31T20:44:41Z",
  "published": "2024-05-29T15:25:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34715"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c"
    },
    {
      "type": "WEB",
      "url": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ethyca/fides"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Fides Webserver Logs Hosted Database Password Partial Exposure Vulnerability"
}

GHSA-8CX5-6HGH-W2WV

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

An information exposure through log file vulnerability exists where the password for the configured system proxy server for a PAN-OS appliance may be displayed in cleartext when using the CLI in Palo Alto Networks PAN-OS software. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.17; PAN-OS 9.0 versions earlier than PAN-OS 9.0.11; PAN-OS 9.1 versions earlier than PAN-OS 9.1.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-2048"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-12T00:15:00Z",
    "severity": "LOW"
  },
  "details": "An information exposure through log file vulnerability exists where the password for the configured system proxy server for a PAN-OS appliance may be displayed in cleartext when using the CLI in Palo Alto Networks PAN-OS software. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.17; PAN-OS 9.0 versions earlier than PAN-OS 9.0.11; PAN-OS 9.1 versions earlier than PAN-OS 9.1.2.",
  "id": "GHSA-8cx5-6hgh-w2wv",
  "modified": "2022-05-24T17:33:53Z",
  "published": "2022-05-24T17:33:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2048"
    },
    {
      "type": "WEB",
      "url": "https://security.paloaltonetworks.com/CVE-2020-2048"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-8F4M-HCCC-8QPH

Vulnerability from github – Published: 2021-06-01 21:38 – Updated: 2024-09-10 21:36
VLAI
Summary
Insertion of Sensitive Information into Log File in ansible
Details

A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0a1"
            },
            {
              "fixed": "2.9.18rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.19rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0a1"
            },
            {
              "fixed": "2.10.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-20191"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-01T20:27:31Z",
    "nvd_published_at": "2021-05-26T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.",
  "id": "GHSA-8f4m-hccc-8qph",
  "modified": "2024-09-10T21:36:14Z",
  "published": "2021-06-01T21:38:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20191"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/pull/73488"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/pull/73489"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/cc82d986c40328d4ae81298a9d287c95a6326bb0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/d74a1b1d1325af2a24848044cf2858987f5a3ecc"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/cve-2021-20191"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-8f4m-hccc-8qph"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2021-124.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insertion of Sensitive Information into Log File in ansible"
}

GHSA-8F5R-8CMQ-7FMQ

Vulnerability from github – Published: 2025-06-26 21:25 – Updated: 2025-07-29 16:00
VLAI
Summary
OpenBao Inserts Sensitive Information into Log File when processing malformed data
Details

Impact

OpenBao before v2.3.0 and HashiCorp Vault as of the current v1.19.5 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166.

Patches

This issue has been fixed in OpenBao v2.3.0 and later.

Workarounds

Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients.

Remediation

Users with the capability to search through server and audit logs for any possible exposed secrets can refer to the following snippets to aid in searching:

Audit Log

... "error":"error converting input for field \"password\": expected type 'string', got unconvertible type 'map[string]interface {}', value: '<sensitive data>'" ...

Server Log

error converting input for field "password": expected type 'string', got unconvertible type 'map[string]interface {}', value: '<sensitive data>'

If any matches are found, rotating the affected secret is advised.

References

See also: https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717

See also: https://github.com/go-viper/mapstructure/releases/tag/v2.3.0

See also: https://github.com/go-viper/mapstructure/pull/105 -> https://github.com/go-viper/mapstructure/commit/ed3f92181528ff776a0324107b8b55026e93766a

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao/sdk/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-52893"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-26T21:25:00Z",
    "nvd_published_at": "2025-06-25T17:15:39Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nOpenBao before v2.3.0 and HashiCorp Vault as of the current v1.19.5 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. \n\n### Patches\n\nThis issue has been fixed in OpenBao v2.3.0 and later.\n\n### Workarounds\n\nLike with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients.\n\n### Remediation\n\nUsers with the capability to search through server and audit logs for any possible exposed secrets can refer to the following snippets to aid in searching:\n\nAudit Log\n\n```\n... \"error\":\"error converting input for field \\\"password\\\": expected type \u0027string\u0027, got unconvertible type \u0027map[string]interface {}\u0027, value: \u0027\u003csensitive data\u003e\u0027\" ...\n```\n\nServer Log\n\n```\nerror converting input for field \"password\": expected type \u0027string\u0027, got unconvertible type \u0027map[string]interface {}\u0027, value: \u0027\u003csensitive data\u003e\u0027\n```\n\nIf any matches are found, rotating the affected secret is advised.\n\n### References\n\nSee also: https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717\n\nSee also: https://github.com/go-viper/mapstructure/releases/tag/v2.3.0\n\nSee also: https://github.com/go-viper/mapstructure/pull/105 -\u003e https://github.com/go-viper/mapstructure/commit/ed3f92181528ff776a0324107b8b55026e93766a",
  "id": "GHSA-8f5r-8cmq-7fmq",
  "modified": "2025-07-29T16:00:27Z",
  "published": "2025-06-26T21:25:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-8f5r-8cmq-7fmq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52893"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-viper/mapstructure/pull/105"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-viper/mapstructure/commit/ed3f92181528ff776a0324107b8b55026e93766a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/commit/cf5e920badbf96b41253534a3fd5ff5063bf4b30"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-viper/mapstructure/releases/tag/v2.3.0"
    },
    {
      "type": "PACKAGE",
      "url": "github.com/openbao/openbao/sdk/v2/framework"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenBao Inserts Sensitive Information into Log File when processing malformed data"
}

GHSA-8F74-PQ25-4XR2

Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2023-09-27 15:30
VLAI
Details

Sensitive information leak through log files. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-44155"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-27T15:19:37Z",
    "severity": "MODERATE"
  },
  "details": "Sensitive information leak through log files. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.",
  "id": "GHSA-8f74-pq25-4xr2",
  "modified": "2023-09-27T15:30:39Z",
  "published": "2023-09-27T15:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44155"
    },
    {
      "type": "WEB",
      "url": "https://security-advisory.acronis.com/advisories/SEC-3471"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8FM4-R23P-V68V

Vulnerability from github – Published: 2024-03-06 18:30 – Updated: 2025-01-21 18:23
VLAI
Summary
Jenkins MQ Notifier Plugin exposes sensitive information in build logs
Details

Jenkins MQ Notifier Plugin 1.4.0 and earlier logs potentially sensitive build parameters as part of debug information in build logs by default.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.sonymobile.jenkins.plugins.mq:mq-notifier"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-28154"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-06T19:21:33Z",
    "nvd_published_at": "2024-03-06T17:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins MQ Notifier Plugin 1.4.0 and earlier logs potentially sensitive build parameters as part of debug information in build logs by default.",
  "id": "GHSA-8fm4-r23p-v68v",
  "modified": "2025-01-21T18:23:47Z",
  "published": "2024-03-06T18:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28154"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/mq-notifier-plugin/commit/46c9f228a3317eb87562bc3d99f7e184bdcecbfe"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/mq-notifier-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3180"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/03/06/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins MQ Notifier Plugin exposes sensitive information in build logs"
}

GHSA-8FQW-XQVX-7F2J

Vulnerability from github – Published: 2024-12-12 03:33 – Updated: 2024-12-12 03:33
VLAI
Details

Insertion of Sensitive Information into Log File (CWE-532) in the Gallagher Command Centre Alarm Transmitter feature could allow an authenticated Operator to view some security sensitive information to which they have not been granted access.

This issue affects: Command Centre Server 9.10 prior to 9.10.2149 (MR4), 9.00 prior to 9.00.2374 (MR5), 8.90 prior to 8.90.2356 (MR6), all versions of 8.80 and prior.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42407"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-12T02:15:23Z",
    "severity": "HIGH"
  },
  "details": "Insertion of Sensitive Information into Log File (CWE-532) in the Gallagher Command Centre Alarm Transmitter feature could allow an authenticated Operator to view some security sensitive information to which they have not been granted access. \n\nThis issue affects: Command Centre Server 9.10 prior to 9.10.2149 (MR4), 9.00 prior to 9.00.2374 (MR5), 8.90 prior to 8.90.2356 (MR6),\u00a0all versions of 8.80 and prior.",
  "id": "GHSA-8fqw-xqvx-7f2j",
  "modified": "2024-12-12T03:33:06Z",
  "published": "2024-12-12T03:33:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42407"
    },
    {
      "type": "WEB",
      "url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-42407"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8G38-3M6V-232J

Vulnerability from github – Published: 2024-03-13 15:30 – Updated: 2024-03-13 22:28
VLAI
Summary
Potential log injection in reset user endpoint in CKAN
Details

A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format.

Patches

This has been fixed in the CKAN 2.9.11 and 2.10.4 versions

Workarounds

Override the /user/reset endpoint to filter the id parameter in order to exclude newlines

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ckan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ckan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0"
            },
            {
              "fixed": "2.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-27097"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-13T15:30:03Z",
    "nvd_published_at": "2024-03-13T21:15:58Z",
    "severity": "MODERATE"
  },
  "details": "A user endpoint didn\u0027t perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format.\n\n### Patches\nThis has been fixed in the CKAN 2.9.11 and 2.10.4 versions\n\n### Workarounds\nOverride the `/user/reset` endpoint to filter the `id` parameter in order to exclude newlines\n\n",
  "id": "GHSA-8g38-3m6v-232j",
  "modified": "2024-03-13T22:28:40Z",
  "published": "2024-03-13T15:30:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ckan/ckan/security/advisories/GHSA-8g38-3m6v-232j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27097"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ckan/ckan/commit/5fa133e7e9019573066455b5d442e93c62b3fc93"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ckan/ckan/commit/81b56c55e5e3651d7fcf9642cd5a489a9b62212c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ckan/ckan/commit/d81f411bff2da7347c343a83e17f5814475b5b64"
    },
    {
      "type": "WEB",
      "url": "https://docs.ckan.org/en/2.10/changelog.html#v-2-10-4-2024-03-13"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ckan/ckan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Potential log injection in reset user endpoint in CKAN"
}

GHSA-8G4X-PPF4-XJC8

Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42
VLAI
Details

Under certain conditions, Teradici PCoIP Agents for Windows prior to version 20.10.0 and Teradici PCoIP Agents for Linux prior to version 21.01.0 may log parts of a user's password in the application logs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25688"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-11T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Under certain conditions, Teradici PCoIP Agents for Windows prior to version 20.10.0 and Teradici PCoIP Agents for Linux prior to version 21.01.0 may log parts of a user\u0027s password in the application logs.",
  "id": "GHSA-8g4x-ppf4-xjc8",
  "modified": "2022-05-24T17:42:01Z",
  "published": "2022-05-24T17:42:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25688"
    },
    {
      "type": "WEB",
      "url": "https://advisory.teradici.com/security-advisories/73"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-8G63-RX6R-GHFC

Vulnerability from github – Published: 2026-02-20 00:31 – Updated: 2026-02-20 00:31
VLAI
Details

Tanium addressed an insertion of sensitive information into log file vulnerability in TanOS.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2605"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-20T00:16:18Z",
    "severity": "MODERATE"
  },
  "details": "Tanium addressed an insertion of sensitive information into log file vulnerability in TanOS.",
  "id": "GHSA-8g63-rx6r-ghfc",
  "modified": "2026-02-20T00:31:53Z",
  "published": "2026-02-20T00:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2605"
    },
    {
      "type": "WEB",
      "url": "https://security.tanium.com/TAN-2026-006"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.