CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1739 vulnerabilities reference this CWE, most recent first.
GHSA-9FWX-P432-XMR2
Vulnerability from github – Published: 2025-05-30 00:31 – Updated: 2026-04-02 21:32A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.4 and iPadOS 18.4, visionOS 2.4, macOS Sequoia 15.4. An app may be able to access sensitive user data.
{
"affected": [],
"aliases": [
"CVE-2025-31199"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-29T22:15:21Z",
"severity": "MODERATE"
},
"details": "A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.4 and iPadOS 18.4, visionOS 2.4, macOS Sequoia 15.4. An app may be able to access sensitive user data.",
"id": "GHSA-9fwx-p432-xmr2",
"modified": "2026-04-02T21:32:24Z",
"published": "2025-05-30T00:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31199"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122371"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122373"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122378"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125636"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9G6R-M8WP-HQCV
Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2022-05-24 17:27Information Disclosure Vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2020 Update allows local users to gain access to sensitive information via incorrectly logging of sensitive information in debug logs.
{
"affected": [],
"aliases": [
"CVE-2020-7322"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-09T10:15:00Z",
"severity": "LOW"
},
"details": "Information Disclosure Vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2020 Update allows local users to gain access to sensitive information via incorrectly logging of sensitive information in debug logs.",
"id": "GHSA-9g6r-m8wp-hqcv",
"modified": "2022-05-24T17:27:49Z",
"published": "2022-05-24T17:27:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7322"
},
{
"type": "WEB",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10327"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-9GGC-845V-GCGV
Vulnerability from github – Published: 2024-05-13 16:04 – Updated: 2024-05-14 20:40Introduction
In Matrix, the server-side key backup stores encrypted copies of Matrix message keys. This facilitates key sharing between a user's devices and provides a redundant copy in case all devices are lost. The key backup uses asymmetric cryptography, with each server-side key backup assigned a unique public-private key pair.
Impact
Due to a logic bug introduced in https://github.com/matrix-org/matrix-rust-sdk/pull/2961/commits/71136e44c03c79f80d6d1a2446673bc4d53a2067, the matrix-sdk-crypto crate version 0.7.0 will sometimes log the private part of the backup key pair to Rust debug logs (using the tracing crate).
Patches
This issue has been resolved in matrix-sdk-crypto version 0.7.1.
Workarounds
None.
References
For more information
If you have any questions or comments about this advisory, please email us at security at matrix.org.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "matrix-sdk-crypto"
},
"ranges": [
{
"events": [
{
"introduced": "0.7.0"
},
{
"fixed": "0.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.7.0"
]
}
],
"aliases": [
"CVE-2024-34353"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-13T16:04:37Z",
"nvd_published_at": "2024-05-14T15:38:43Z",
"severity": "MODERATE"
},
"details": "### Introduction\n\nIn Matrix, the server-side *key backup* stores encrypted copies of Matrix message keys. This facilitates key sharing between a user\u0027s devices and provides a redundant copy in case all devices are lost. The key backup uses asymmetric cryptography, with each server-side key backup assigned a unique public-private key pair.\n\n### Impact\n\nDue to a logic bug introduced in https://github.com/matrix-org/matrix-rust-sdk/pull/2961/commits/71136e44c03c79f80d6d1a2446673bc4d53a2067, the matrix-sdk-crypto crate version 0.7.0 will sometimes log the private part of the backup key pair to Rust debug logs (using the `tracing` crate).\n\n### Patches\nThis issue has been resolved in matrix-sdk-crypto [version 0.7.1](https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1).\n\n### Workarounds\nNone.\n\n### References\n\n- [crates.io release](https://crates.io/crates/matrix-sdk-crypto/0.7.1)\n\n### For more information\n\nIf you have any questions or comments about this advisory, please email us at [security at matrix.org](mailto:security@matrix.org).\n",
"id": "GHSA-9ggc-845v-gcgv",
"modified": "2024-05-14T20:40:56Z",
"published": "2024-05-13T16:04:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-9ggc-845v-gcgv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34353"
},
{
"type": "WEB",
"url": "https://github.com/matrix-org/matrix-rust-sdk/commit/71136e44c03c79f80d6d1a2446673bc4d53a2067"
},
{
"type": "WEB",
"url": "https://github.com/matrix-org/matrix-rust-sdk/commit/fa10bbb5dd0f9120a51aa1854cec752e25790bb0"
},
{
"type": "PACKAGE",
"url": "https://github.com/matrix-org/matrix-rust-sdk"
},
{
"type": "WEB",
"url": "https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "matrix-sdk-crypto contains a log exposure of private key of the server-side key backup"
}
GHSA-9HP4-VWRV-6CW7
Vulnerability from github – Published: 2022-11-03 19:00 – Updated: 2022-11-04 12:00In JetBrains TeamCity version before 2022.10, Password parameters could be exposed in the build log if they contained special characters
{
"affected": [],
"aliases": [
"CVE-2022-44624"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-03T14:15:00Z",
"severity": "HIGH"
},
"details": "In JetBrains TeamCity version before 2022.10, Password parameters could be exposed in the build log if they contained special characters",
"id": "GHSA-9hp4-vwrv-6cw7",
"modified": "2022-11-04T12:00:25Z",
"published": "2022-11-03T19:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44624"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9J7R-MQX9-67MV
Vulnerability from github – Published: 2023-10-07 00:30 – Updated: 2024-04-04 08:24Sensitive data could be exposed in logs of subiquity version 23.09.1 and earlier. An attacker in the adm group could use this information to find hashed passwords and possibly escalate their privilege.
{
"affected": [],
"aliases": [
"CVE-2023-5182"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-07T00:15:11Z",
"severity": "MODERATE"
},
"details": "Sensitive data could be exposed in logs of subiquity version 23.09.1 and earlier. An attacker in the adm group could use this information to find hashed passwords and possibly escalate their privilege.",
"id": "GHSA-9j7r-mqx9-67mv",
"modified": "2024-04-04T08:24:01Z",
"published": "2023-10-07T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5182"
},
{
"type": "WEB",
"url": "https://github.com/canonical/subiquity/pull/1820/commits/62e126896fb063808767d74d00886001e38eaa1c"
},
{
"type": "WEB",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5182"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9M2C-RXH3-Q83M
Vulnerability from github – Published: 2023-06-23 18:30 – Updated: 2024-04-04 05:07A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in watchOS 9.5, macOS Ventura 13.4, tvOS 16.5, iOS 16.5 and iPadOS 16.5, macOS Big Sur 11.7.7, macOS Monterey 12.6.6. An app may be able to read sensitive location information
{
"affected": [],
"aliases": [
"CVE-2023-32392"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-23T18:15:12Z",
"severity": "MODERATE"
},
"details": "A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in watchOS 9.5, macOS Ventura 13.4, tvOS 16.5, iOS 16.5 and iPadOS 16.5, macOS Big Sur 11.7.7, macOS Monterey 12.6.6. An app may be able to read sensitive location information",
"id": "GHSA-9m2c-rxh3-q83m",
"modified": "2024-04-04T05:07:54Z",
"published": "2023-06-23T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32392"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213757"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213758"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213759"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213760"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213761"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213764"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9M52-7WVP-69MV
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32IBM Spectrum Protect Plus 10.1.0 and 10.1.1 could disclose sensitive information when an authorized user executes a test operation, the user id an password may be displayed in plain text within an instrumentation log file. IBM X-Force ID: 148622.
{
"affected": [],
"aliases": [
"CVE-2018-1768"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-26T15:29:00Z",
"severity": "HIGH"
},
"details": "IBM Spectrum Protect Plus 10.1.0 and 10.1.1 could disclose sensitive information when an authorized user executes a test operation, the user id an password may be displayed in plain text within an instrumentation log file. IBM X-Force ID: 148622.",
"id": "GHSA-9m52-7wvp-69mv",
"modified": "2022-05-13T01:32:43Z",
"published": "2022-05-13T01:32:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1768"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/148622"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10729219"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041715"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9MQ7-8HM8-Q3MP
Vulnerability from github – Published: 2024-08-12 15:30 – Updated: 2025-09-29 15:30An issue was discovered whereby Elastic Agent will leak secrets from the agent policy elastic-agent.yml only when the log level is configured to debug. By default the log level is set to info, where no leak occurs.
{
"affected": [],
"aliases": [
"CVE-2024-37283"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-12T13:38:23Z",
"severity": "MODERATE"
},
"details": "An issue was discovered whereby Elastic Agent will leak secrets from the agent policy elastic-agent.yml only when the log level is configured to debug. By default the log level is set to info, where no leak occurs.",
"id": "GHSA-9mq7-8hm8-q3mp",
"modified": "2025-09-29T15:30:29Z",
"published": "2024-08-12T15:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37283"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/elastic-agent-8-15-0-security-update-esa-2024-23/364635"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9P5V-74F3-3RQ6
Vulnerability from github – Published: 2024-02-17 18:30 – Updated: 2024-02-17 18:30IBM QRadar Suite 1.10.12.0 through 1.10.17.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 279975.
{
"affected": [],
"aliases": [
"CVE-2024-22335"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-17T16:15:47Z",
"severity": "MODERATE"
},
"details": "IBM QRadar Suite 1.10.12.0 through 1.10.17.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 279975.",
"id": "GHSA-9p5v-74f3-3rq6",
"modified": "2024-02-17T18:30:31Z",
"published": "2024-02-17T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22335"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279975"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7118642"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9P7W-W5Q6-MXJ3
Vulnerability from github – Published: 2026-05-28 18:30 – Updated: 2026-07-02 18:01In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the SERVICEACCOUNT_TOKEN placeholder (Canal/Flannel-Calico deployments), the installer substitutes the live Kubernetes ServiceAccount bearer token before logging, exposing the token to any authenticated user with pods/log permission in the namespace with calico-node. The token holds patch privileges on pods/status, enabling annotation-based attacks against cluster workloads. The default kubeconfig-based authentication path is not affected. This is a direct regression of TTA-2018-001.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/projectcalico/calico"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "3.31.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/projectcalico/calico"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.0-cni-plugin.0.20260417001138-cd73bc2cea0f"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41184"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T18:01:02Z",
"nvd_published_at": "2026-05-28T17:16:22Z",
"severity": "MODERATE"
},
"details": "In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder (Canal/Flannel-Calico deployments), the installer substitutes the live Kubernetes ServiceAccount bearer token before logging, exposing the token to any authenticated user with pods/log permission in the namespace with calico-node. The token holds patch privileges on pods/status, enabling annotation-based attacks against cluster workloads. The default kubeconfig-based authentication path is not affected. This is a direct regression of TTA-2018-001.",
"id": "GHSA-9p7w-w5q6-mxj3",
"modified": "2026-07-02T18:01:02Z",
"published": "2026-05-28T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41184"
},
{
"type": "WEB",
"url": "https://github.com/projectcalico/calico/pull/12502"
},
{
"type": "WEB",
"url": "https://github.com/projectcalico/calico/pull/12526"
},
{
"type": "WEB",
"url": "https://github.com/projectcalico/calico/pull/12527"
},
{
"type": "WEB",
"url": "https://github.com/projectcalico/calico/commit/0ca653db0ae7400ea9fb066daa7f45c902482271"
},
{
"type": "WEB",
"url": "https://github.com/projectcalico/calico/commit/cd73bc2cea0f4989772f2deb93909e7cfac927e0"
},
{
"type": "WEB",
"url": "https://github.com/projectcalico/calico/commit/da9ea3a13927a35e4022b787d17a005b2157d812"
},
{
"type": "PACKAGE",
"url": "https://github.com/projectcalico/calico"
},
{
"type": "WEB",
"url": "https://www.tigera.io/security-bulletins/tta-2026-001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L",
"type": "CVSS_V4"
}
],
"summary": "Calico Inserts Sensitive Information into Log File"
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.