CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1739 vulnerabilities reference this CWE, most recent first.
GHSA-8CM5-JFJ2-26Q7
Vulnerability from github – Published: 2024-05-29 15:25 – Updated: 2024-05-31 20:44The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as @ and $, webserver startup fails and the part of the password following the special character is exposed in webserver error logs.
This is caused by improper escaping of the SQLAlchemy password string, see here and here for more info.
Impact
Partial exposure of hosted database password in webserver logs
Patches
The vulnerability has been patched in Fides version 2.37.0. Users are advised to upgrade to this version or later to secure their systems against this threat.
Workarounds
There are no workarounds.
Proof of Concept
- Create a hosted PostgreSQL database for Fides with a password including
@or$e.g.p@ssword - Run Fides and observe failure, sample log attached
fides | 2024-02-28 14:27:52.609 | ERROR | fides.api.db.database:configure_db:117 - Unable to configure database: sqlalchemy.exc.OperationalError: (psycopg2.OperationalError) could not translate host name "ssword@fides-db" to address: Name or service not known
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ethyca-fides"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.37.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-34715"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-29T15:25:51Z",
"nvd_published_at": "2024-05-29T17:16:20Z",
"severity": "LOW"
},
"details": "The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs.\n\nThis is caused by improper escaping of the SQLAlchemy password string, see [here](https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords) and [here](https://github.com/sqlalchemy/sqlalchemy/discussions/6615) for more info.\n\n### Impact\nPartial exposure of hosted database password in webserver logs\n\n### Patches\nThe vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat.\n\n### Workarounds\nThere are no workarounds.\n\n### Proof of Concept\n1. Create a hosted PostgreSQL database for Fides with a password including `@` or `$` e.g. `p@ssword`\n2. Run Fides and observe failure, sample log attached\n\n```\nfides | 2024-02-28 14:27:52.609 | ERROR | fides.api.db.database:configure_db:117 - Unable to configure database: sqlalchemy.exc.OperationalError: (psycopg2.OperationalError) could not translate host name \"ssword@fides-db\" to address: Name or service not known\n```",
"id": "GHSA-8cm5-jfj2-26q7",
"modified": "2024-05-31T20:44:41Z",
"published": "2024-05-29T15:25:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34715"
},
{
"type": "WEB",
"url": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c"
},
{
"type": "WEB",
"url": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords"
},
{
"type": "PACKAGE",
"url": "https://github.com/ethyca/fides"
},
{
"type": "WEB",
"url": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Fides Webserver Logs Hosted Database Password Partial Exposure Vulnerability"
}
GHSA-8CX5-6HGH-W2WV
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33An information exposure through log file vulnerability exists where the password for the configured system proxy server for a PAN-OS appliance may be displayed in cleartext when using the CLI in Palo Alto Networks PAN-OS software. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.17; PAN-OS 9.0 versions earlier than PAN-OS 9.0.11; PAN-OS 9.1 versions earlier than PAN-OS 9.1.2.
{
"affected": [],
"aliases": [
"CVE-2020-2048"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-12T00:15:00Z",
"severity": "LOW"
},
"details": "An information exposure through log file vulnerability exists where the password for the configured system proxy server for a PAN-OS appliance may be displayed in cleartext when using the CLI in Palo Alto Networks PAN-OS software. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.17; PAN-OS 9.0 versions earlier than PAN-OS 9.0.11; PAN-OS 9.1 versions earlier than PAN-OS 9.1.2.",
"id": "GHSA-8cx5-6hgh-w2wv",
"modified": "2022-05-24T17:33:53Z",
"published": "2022-05-24T17:33:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2048"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2020-2048"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8F4M-HCCC-8QPH
Vulnerability from github – Published: 2021-06-01 21:38 – Updated: 2024-09-10 21:36A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0a1"
},
{
"fixed": "2.9.18rc1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.19rc1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0a1"
},
{
"fixed": "2.10.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-20191"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-01T20:27:31Z",
"nvd_published_at": "2021-05-26T21:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.",
"id": "GHSA-8f4m-hccc-8qph",
"modified": "2024-09-10T21:36:14Z",
"published": "2021-06-01T21:38:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20191"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/pull/73488"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/pull/73489"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/cc82d986c40328d4ae81298a9d287c95a6326bb0"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/d74a1b1d1325af2a24848044cf2858987f5a3ecc"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2021-20191"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-8f4m-hccc-8qph"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansible/ansible"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2021-124.yaml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Insertion of Sensitive Information into Log File in ansible"
}
GHSA-8F5R-8CMQ-7FMQ
Vulnerability from github – Published: 2025-06-26 21:25 – Updated: 2025-07-29 16:00Impact
OpenBao before v2.3.0 and HashiCorp Vault as of the current v1.19.5 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166.
Patches
This issue has been fixed in OpenBao v2.3.0 and later.
Workarounds
Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients.
Remediation
Users with the capability to search through server and audit logs for any possible exposed secrets can refer to the following snippets to aid in searching:
Audit Log
... "error":"error converting input for field \"password\": expected type 'string', got unconvertible type 'map[string]interface {}', value: '<sensitive data>'" ...
Server Log
error converting input for field "password": expected type 'string', got unconvertible type 'map[string]interface {}', value: '<sensitive data>'
If any matches are found, rotating the affected secret is advised.
References
See also: https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717
See also: https://github.com/go-viper/mapstructure/releases/tag/v2.3.0
See also: https://github.com/go-viper/mapstructure/pull/105 -> https://github.com/go-viper/mapstructure/commit/ed3f92181528ff776a0324107b8b55026e93766a
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao/sdk/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-52893"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-26T21:25:00Z",
"nvd_published_at": "2025-06-25T17:15:39Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nOpenBao before v2.3.0 and HashiCorp Vault as of the current v1.19.5 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. \n\n### Patches\n\nThis issue has been fixed in OpenBao v2.3.0 and later.\n\n### Workarounds\n\nLike with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients.\n\n### Remediation\n\nUsers with the capability to search through server and audit logs for any possible exposed secrets can refer to the following snippets to aid in searching:\n\nAudit Log\n\n```\n... \"error\":\"error converting input for field \\\"password\\\": expected type \u0027string\u0027, got unconvertible type \u0027map[string]interface {}\u0027, value: \u0027\u003csensitive data\u003e\u0027\" ...\n```\n\nServer Log\n\n```\nerror converting input for field \"password\": expected type \u0027string\u0027, got unconvertible type \u0027map[string]interface {}\u0027, value: \u0027\u003csensitive data\u003e\u0027\n```\n\nIf any matches are found, rotating the affected secret is advised.\n\n### References\n\nSee also: https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717\n\nSee also: https://github.com/go-viper/mapstructure/releases/tag/v2.3.0\n\nSee also: https://github.com/go-viper/mapstructure/pull/105 -\u003e https://github.com/go-viper/mapstructure/commit/ed3f92181528ff776a0324107b8b55026e93766a",
"id": "GHSA-8f5r-8cmq-7fmq",
"modified": "2025-07-29T16:00:27Z",
"published": "2025-06-26T21:25:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/security/advisories/GHSA-8f5r-8cmq-7fmq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52893"
},
{
"type": "WEB",
"url": "https://github.com/go-viper/mapstructure/pull/105"
},
{
"type": "WEB",
"url": "https://github.com/go-viper/mapstructure/commit/ed3f92181528ff776a0324107b8b55026e93766a"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/commit/cf5e920badbf96b41253534a3fd5ff5063bf4b30"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717"
},
{
"type": "WEB",
"url": "https://github.com/go-viper/mapstructure/releases/tag/v2.3.0"
},
{
"type": "PACKAGE",
"url": "github.com/openbao/openbao/sdk/v2/framework"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenBao Inserts Sensitive Information into Log File when processing malformed data"
}
GHSA-8F74-PQ25-4XR2
Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2023-09-27 15:30Sensitive information leak through log files. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.
{
"affected": [],
"aliases": [
"CVE-2023-44155"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-27T15:19:37Z",
"severity": "MODERATE"
},
"details": "Sensitive information leak through log files. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.",
"id": "GHSA-8f74-pq25-4xr2",
"modified": "2023-09-27T15:30:39Z",
"published": "2023-09-27T15:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44155"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-3471"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8FM4-R23P-V68V
Vulnerability from github – Published: 2024-03-06 18:30 – Updated: 2025-01-21 18:23Jenkins MQ Notifier Plugin 1.4.0 and earlier logs potentially sensitive build parameters as part of debug information in build logs by default.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.sonymobile.jenkins.plugins.mq:mq-notifier"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-28154"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-06T19:21:33Z",
"nvd_published_at": "2024-03-06T17:15:10Z",
"severity": "MODERATE"
},
"details": "Jenkins MQ Notifier Plugin 1.4.0 and earlier logs potentially sensitive build parameters as part of debug information in build logs by default.",
"id": "GHSA-8fm4-r23p-v68v",
"modified": "2025-01-21T18:23:47Z",
"published": "2024-03-06T18:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28154"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/mq-notifier-plugin/commit/46c9f228a3317eb87562bc3d99f7e184bdcecbfe"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/mq-notifier-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3180"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/03/06/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins MQ Notifier Plugin exposes sensitive information in build logs"
}
GHSA-8FQW-XQVX-7F2J
Vulnerability from github – Published: 2024-12-12 03:33 – Updated: 2024-12-12 03:33Insertion of Sensitive Information into Log File (CWE-532) in the Gallagher Command Centre Alarm Transmitter feature could allow an authenticated Operator to view some security sensitive information to which they have not been granted access.
This issue affects: Command Centre Server 9.10 prior to 9.10.2149 (MR4), 9.00 prior to 9.00.2374 (MR5), 8.90 prior to 8.90.2356 (MR6), all versions of 8.80 and prior.
{
"affected": [],
"aliases": [
"CVE-2024-42407"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-12T02:15:23Z",
"severity": "HIGH"
},
"details": "Insertion of Sensitive Information into Log File (CWE-532) in the Gallagher Command Centre Alarm Transmitter feature could allow an authenticated Operator to view some security sensitive information to which they have not been granted access. \n\nThis issue affects: Command Centre Server 9.10 prior to 9.10.2149 (MR4), 9.00 prior to 9.00.2374 (MR5), 8.90 prior to 8.90.2356 (MR6),\u00a0all versions of 8.80 and prior.",
"id": "GHSA-8fqw-xqvx-7f2j",
"modified": "2024-12-12T03:33:06Z",
"published": "2024-12-12T03:33:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42407"
},
{
"type": "WEB",
"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-42407"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8G38-3M6V-232J
Vulnerability from github – Published: 2024-03-13 15:30 – Updated: 2024-03-13 22:28A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format.
Patches
This has been fixed in the CKAN 2.9.11 and 2.10.4 versions
Workarounds
Override the /user/reset endpoint to filter the id parameter in order to exclude newlines
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ckan"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.9.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ckan"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0"
},
{
"fixed": "2.10.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-27097"
],
"database_specific": {
"cwe_ids": [
"CWE-117",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-13T15:30:03Z",
"nvd_published_at": "2024-03-13T21:15:58Z",
"severity": "MODERATE"
},
"details": "A user endpoint didn\u0027t perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format.\n\n### Patches\nThis has been fixed in the CKAN 2.9.11 and 2.10.4 versions\n\n### Workarounds\nOverride the `/user/reset` endpoint to filter the `id` parameter in order to exclude newlines\n\n",
"id": "GHSA-8g38-3m6v-232j",
"modified": "2024-03-13T22:28:40Z",
"published": "2024-03-13T15:30:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ckan/ckan/security/advisories/GHSA-8g38-3m6v-232j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27097"
},
{
"type": "WEB",
"url": "https://github.com/ckan/ckan/commit/5fa133e7e9019573066455b5d442e93c62b3fc93"
},
{
"type": "WEB",
"url": "https://github.com/ckan/ckan/commit/81b56c55e5e3651d7fcf9642cd5a489a9b62212c"
},
{
"type": "WEB",
"url": "https://github.com/ckan/ckan/commit/d81f411bff2da7347c343a83e17f5814475b5b64"
},
{
"type": "WEB",
"url": "https://docs.ckan.org/en/2.10/changelog.html#v-2-10-4-2024-03-13"
},
{
"type": "PACKAGE",
"url": "https://github.com/ckan/ckan"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Potential log injection in reset user endpoint in CKAN"
}
GHSA-8G4X-PPF4-XJC8
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42Under certain conditions, Teradici PCoIP Agents for Windows prior to version 20.10.0 and Teradici PCoIP Agents for Linux prior to version 21.01.0 may log parts of a user's password in the application logs.
{
"affected": [],
"aliases": [
"CVE-2021-25688"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-11T18:15:00Z",
"severity": "MODERATE"
},
"details": "Under certain conditions, Teradici PCoIP Agents for Windows prior to version 20.10.0 and Teradici PCoIP Agents for Linux prior to version 21.01.0 may log parts of a user\u0027s password in the application logs.",
"id": "GHSA-8g4x-ppf4-xjc8",
"modified": "2022-05-24T17:42:01Z",
"published": "2022-05-24T17:42:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25688"
},
{
"type": "WEB",
"url": "https://advisory.teradici.com/security-advisories/73"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8G63-RX6R-GHFC
Vulnerability from github – Published: 2026-02-20 00:31 – Updated: 2026-02-20 00:31Tanium addressed an insertion of sensitive information into log file vulnerability in TanOS.
{
"affected": [],
"aliases": [
"CVE-2026-2605"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-20T00:16:18Z",
"severity": "MODERATE"
},
"details": "Tanium addressed an insertion of sensitive information into log file vulnerability in TanOS.",
"id": "GHSA-8g63-rx6r-ghfc",
"modified": "2026-02-20T00:31:53Z",
"published": "2026-02-20T00:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2605"
},
{
"type": "WEB",
"url": "https://security.tanium.com/TAN-2026-006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.