CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1739 vulnerabilities reference this CWE, most recent first.
GHSA-96X2-V84R-8WQ5
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:26In the Dark Horse Comics application 1.3.21 for Android, token information (equivalent to the username and password) is stored in the log during authentication, and may be available to attackers via logcat.
{
"affected": [],
"aliases": [
"CVE-2019-17398"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-15T21:15:00Z",
"severity": "CRITICAL"
},
"details": "In the Dark Horse Comics application 1.3.21 for Android, token information (equivalent to the username and password) is stored in the log during authentication, and may be available to attackers via logcat.",
"id": "GHSA-96x2-v84r-8wq5",
"modified": "2024-04-04T02:26:33Z",
"published": "2022-05-24T16:58:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17398"
},
{
"type": "WEB",
"url": "https://pastebin.com/5ZDDCqgL"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9747-347M-WJJQ
Vulnerability from github – Published: 2025-01-14 18:32 – Updated: 2025-01-14 18:32Windows Kernel Memory Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2025-21318"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-14T18:15:55Z",
"severity": "MODERATE"
},
"details": "Windows Kernel Memory Information Disclosure Vulnerability",
"id": "GHSA-9747-347m-wjjq",
"modified": "2025-01-14T18:32:04Z",
"published": "2025-01-14T18:32:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21318"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21318"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-97QM-2H4W-QGHQ
Vulnerability from github – Published: 2024-12-12 03:33 – Updated: 2025-11-04 00:32The issue was resolved by sanitizing logging. This issue is fixed in macOS Sequoia 15.2. An app may be able to access user-sensitive data.
{
"affected": [],
"aliases": [
"CVE-2024-54484"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-12T02:15:29Z",
"severity": "MODERATE"
},
"details": "The issue was resolved by sanitizing logging. This issue is fixed in macOS Sequoia 15.2. An app may be able to access user-sensitive data.",
"id": "GHSA-97qm-2h4w-qghq",
"modified": "2025-11-04T00:32:13Z",
"published": "2024-12-12T03:33:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54484"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121839"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Dec/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-97R5-3MCV-523R
Vulnerability from github – Published: 2022-05-17 03:01 – Updated: 2025-04-20 03:32MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allow remote attackers to obtain the installation path via vectors involving error log files.
{
"affected": [],
"aliases": [
"CVE-2015-8977"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-01-31T22:59:00Z",
"severity": "HIGH"
},
"details": "MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allow remote attackers to obtain the installation path via vectors involving error log files.",
"id": "GHSA-97r5-3mcv-523r",
"modified": "2025-04-20T03:32:04Z",
"published": "2022-05-17T03:01:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8977"
},
{
"type": "WEB",
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/94397"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-982X-V642-CGCX
Vulnerability from github – Published: 2022-11-08 12:00 – Updated: 2022-11-09 12:00Sensitive information leak through log files. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40107.
{
"affected": [],
"aliases": [
"CVE-2022-44745"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-07T20:15:00Z",
"severity": "MODERATE"
},
"details": "Sensitive information leak through log files. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40107.",
"id": "GHSA-982x-v642-cgcx",
"modified": "2022-11-09T12:00:25Z",
"published": "2022-11-08T12:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44745"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-3481"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-98H5-V6FV-978X
Vulnerability from github – Published: 2026-05-11 21:31 – Updated: 2026-05-13 18:30A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An app may be able to determine kernel memory layout.
{
"affected": [],
"aliases": [
"CVE-2026-28943"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-11T21:18:55Z",
"severity": "HIGH"
},
"details": "A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An app may be able to determine kernel memory layout.",
"id": "GHSA-98h5-v6fv-978x",
"modified": "2026-05-13T18:30:40Z",
"published": "2026-05-11T21:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28943"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127110"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127111"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127115"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127116"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127117"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127118"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127119"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9954-329G-42VC
Vulnerability from github – Published: 2024-01-08 21:30 – Updated: 2026-04-28 21:33Exposure of Sensitive Information to an Unauthorized Actor vulnerability in StudioWombat WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce.This issue affects WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce: from n/a through 1.4.3.
{
"affected": [],
"aliases": [
"CVE-2023-51408"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-08T21:15:09Z",
"severity": "MODERATE"
},
"details": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in StudioWombat WP Optin Wheel \u2013 Gamified Optin Email Marketing Tool for WordPress and WooCommerce.This issue affects WP Optin Wheel \u2013 Gamified Optin Email Marketing Tool for WordPress and WooCommerce: from n/a through 1.4.3.",
"id": "GHSA-9954-329g-42vc",
"modified": "2026-04-28T21:33:46Z",
"published": "2024-01-08T21:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51408"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/wp-optin-wheel/wordpress-wp-optin-wheel-plugin-1-4-3-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-999P-3HF6-2QGP
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32A vulnerability in the Trend Micro InterScan Messaging Security Virtual Appliance 9.0 and 9.1 management portal could allow an unauthenticated user to access sensitive information in a particular log file that could be used to bypass authentication on vulnerable installations.
{
"affected": [],
"aliases": [
"CVE-2018-3609"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-16T22:29:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the Trend Micro InterScan Messaging Security Virtual Appliance 9.0 and 9.1 management portal could allow an unauthenticated user to access sensitive information in a particular log file that could be used to bypass authentication on vulnerable installations.",
"id": "GHSA-999p-3hf6-2qgp",
"modified": "2022-05-13T01:32:21Z",
"published": "2022-05-13T01:32:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3609"
},
{
"type": "WEB",
"url": "https://korelogic.com/Resources/Advisories/KL-001-2018-006.txt"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/jp/solution/1119290"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/solution/1119277"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103097"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-99GF-FRHC-HG67
Vulnerability from github – Published: 2024-07-10 18:32 – Updated: 2026-04-23 15:32Insertion of Sensitive Information into Log File vulnerability in TrustedLogin TrustedLogin Vendor.This issue affects TrustedLogin Vendor: from n/a before 1.1.1.
{
"affected": [],
"aliases": [
"CVE-2024-37270"
],
"database_specific": {
"cwe_ids": [
"CWE-201",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-10T18:15:04Z",
"severity": "MODERATE"
},
"details": "Insertion of Sensitive Information into Log File vulnerability in TrustedLogin TrustedLogin Vendor.This issue affects TrustedLogin Vendor: from n/a before 1.1.1.",
"id": "GHSA-99gf-frhc-hg67",
"modified": "2026-04-23T15:32:24Z",
"published": "2024-07-10T18:32:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37270"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/vendor/vulnerability/wordpress-trustedlogin-vendor-plugin-1-1-1-sensitive-data-exposure-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/vendor/wordpress-trustedlogin-vendor-plugin-1-1-1-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-99PC-69Q9-JXF2
Vulnerability from github – Published: 2023-10-26 18:30 – Updated: 2025-02-13 19:19Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. It was found that this filtering was not applied when requests to Elasticsearch use certain deprecated URIs for APIs. The impact of this flaw is that sensitive information such as passwords and tokens might be printed in cleartext in Elasticsearch audit logs. Note that audit logging is disabled by default and needs to be explicitly enabled and even when audit logging is enabled, request bodies that could contain sensitive information are not printed to the audit log unless explicitly configured.
The _xpack/security APIs have been deprecated in Elasticsearch 7.x and were entirely removed in 8.0.0 and later. The only way for a client to use them in Elasticsearch 8.0.0 and later is to provide the Accept: application/json; compatible-with=7 header. Elasticsearch official clients do not use these deprecated APIs.
The list of affected, deprecated APIs, is the following:
POST /_xpack/security/user/{username}
PUT /_xpack/security/user/{username}
PUT /_xpack/security/user/{username}/_password
POST /_xpack/security/user/{username}/_password
PUT /_xpack/security/user/_password
POST /_xpack/security/user/_password
POST /_xpack/security/oauth2/token
DELETE /_xpack/security/oauth2/token
POST /_xpack/security/saml/authenticate
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.elasticsearch:elasticsearch"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.17.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.elasticsearch:elasticsearch"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.9.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-31417"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-30T15:14:03Z",
"nvd_published_at": "2023-10-26T18:15:08Z",
"severity": "MODERATE"
},
"details": "Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. It was found that this filtering was not applied when requests to Elasticsearch use certain deprecated URIs for APIs. The impact of this flaw is that sensitive information such as passwords and tokens might be printed in cleartext in Elasticsearch audit logs. Note that audit logging is disabled by default and needs to be explicitly enabled and even when audit logging is enabled, request bodies that could contain sensitive information are not printed to the audit log unless explicitly configured.\n\nThe `_xpack/security` APIs have been deprecated in Elasticsearch 7.x and were entirely removed in 8.0.0 and later. The only way for a client to use them in Elasticsearch 8.0.0 and later is to provide the `Accept: application/json; compatible-with=7` header. Elasticsearch official clients do not use these deprecated APIs.\n\nThe list of affected, deprecated APIs, is the following:\n\n`POST /_xpack/security/user/{username}`\n`PUT /_xpack/security/user/{username}`\n`PUT /_xpack/security/user/{username}/_password`\n`POST /_xpack/security/user/{username}/_password`\n`PUT /_xpack/security/user/_password`\n`POST /_xpack/security/user/_password`\n`POST /_xpack/security/oauth2/token`\n`DELETE /_xpack/security/oauth2/token`\n`POST /_xpack/security/saml/authenticate`",
"id": "GHSA-99pc-69q9-jxf2",
"modified": "2025-02-13T19:19:40Z",
"published": "2023-10-26T18:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31417"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/elasticsearch-8-9-2-and-7-17-13-security-update/342479"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231130-0006"
},
{
"type": "WEB",
"url": "https://www.elastic.co/community/security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Elasticsearch allows insertion of sensitive information into log files when using deprecated URIs"
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.