CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1744 vulnerabilities reference this CWE, most recent first.
GHSA-CW5M-C88Q-X4PV
Vulnerability from github – Published: 2026-05-11 21:31 – Updated: 2026-05-12 15:31A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An app may be able to leak sensitive kernel state.
{
"affected": [],
"aliases": [
"CVE-2026-28987"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-11T21:18:58Z",
"severity": "HIGH"
},
"details": "A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An app may be able to leak sensitive kernel state.",
"id": "GHSA-cw5m-c88q-x4pv",
"modified": "2026-05-12T15:31:34Z",
"published": "2026-05-11T21:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28987"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127110"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127111"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127115"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127116"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127117"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127118"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127119"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CW79-FQ4F-9R96
Vulnerability from github – Published: 2025-10-27 21:30 – Updated: 2025-11-15 02:30Information exposure through log file vulnerability in LDAP import feature in Liferay Portal 7.4.0 through 7.4.3.97, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows local users to view user email address in the log files.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay:com.liferay.portal.security.ldap.impl"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.2"
},
{
"fixed": "4.0.54"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62262"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-29T10:40:09Z",
"nvd_published_at": "2025-10-27T21:15:37Z",
"severity": "MODERATE"
},
"details": "Information exposure through log file vulnerability in LDAP import feature in Liferay Portal 7.4.0 through 7.4.3.97, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows local users to view user email address in the log files.",
"id": "GHSA-cw79-fq4f-9r96",
"modified": "2025-11-15T02:30:28Z",
"published": "2025-10-27T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62262"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/fc14297acd87703ba1027d691fa27a6b96bbb57c"
},
{
"type": "PACKAGE",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://liferay.atlassian.net/browse/LPE-17826"
},
{
"type": "WEB",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62263"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Liferay Portal Vulnerable to Information Exposure Through a Log File Vulnerability in LDAP Import Feature"
}
GHSA-CWQ5-9FP6-J489
Vulnerability from github – Published: 2022-04-28 00:00 – Updated: 2022-05-06 00:01Foundry Issues service versions 2.244.0 to 2.249.0 was found to be logging in a manner that captured sensitive information (session tokens). This issue was fixed in 2.249.1.
{
"affected": [],
"aliases": [
"CVE-2022-27888"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-26T23:15:00Z",
"severity": "MODERATE"
},
"details": "Foundry Issues service versions 2.244.0 to 2.249.0 was found to be logging in a manner that captured sensitive information (session tokens). This issue was fixed in 2.249.1.",
"id": "GHSA-cwq5-9fp6-j489",
"modified": "2022-05-06T00:01:09Z",
"published": "2022-04-28T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27888"
},
{
"type": "WEB",
"url": "https://github.com/palantir/security-bulletins/blob/main/PLTRSEC-2022-01.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CXC7-QRMH-3WX5
Vulnerability from github – Published: 2024-08-05 12:31 – Updated: 2024-08-30 18:30The com.cascadialabs.who (aka Who - Caller ID, Spam Block) application 15.0 for Android places sensitive information in the system log.
{
"affected": [],
"aliases": [
"CVE-2024-40096"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-05T10:15:33Z",
"severity": "LOW"
},
"details": "The com.cascadialabs.who (aka Who - Caller ID, Spam Block) application 15.0 for Android places sensitive information in the system log.",
"id": "GHSA-cxc7-qrmh-3wx5",
"modified": "2024-08-30T18:30:37Z",
"published": "2024-08-05T12:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40096"
},
{
"type": "WEB",
"url": "https://www.quokka.io/blog/critical-pii-exposure-in-who-caller-id-spam-block-app"
},
{
"type": "WEB",
"url": "https://www.quokka.io/critical-vulnerabilities-exploits-cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CXFQ-987J-WPFW
Vulnerability from github – Published: 2022-04-12 00:00 – Updated: 2022-04-19 00:01Missing sanitization of logged exception messages in all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 of GitLab CE/EE causes potential sensitive values in invalid URLs to be logged
{
"affected": [],
"aliases": [
"CVE-2022-1157"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-11T20:15:00Z",
"severity": "LOW"
},
"details": "Missing sanitization of logged exception messages in all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 of GitLab CE/EE causes potential sensitive values in invalid URLs to be logged",
"id": "GHSA-cxfq-987j-wpfw",
"modified": "2022-04-19T00:01:25Z",
"published": "2022-04-12T00:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1157"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1157.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/37261"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CXPP-V3RM-FQ33
Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2022-10-07 18:15A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information.
{
"affected": [],
"aliases": [
"CVE-2019-14885"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-23T22:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property\u0027s security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI \u0027reload\u0027 command. This flaw can lead to the exposure of confidential information.",
"id": "GHSA-cxpp-v3rm-fq33",
"modified": "2022-10-07T18:15:56Z",
"published": "2022-05-24T17:07:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14885"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14885"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CXQ7-XW9V-RCV3
Vulnerability from github – Published: 2025-10-30 00:31 – Updated: 2025-11-05 00:31When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.
{
"affected": [],
"aliases": [
"CVE-2025-58189"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-29T23:16:19Z",
"severity": "MODERATE"
},
"details": "When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.",
"id": "GHSA-cxq7-xw9v-rcv3",
"modified": "2025-11-05T00:31:31Z",
"published": "2025-10-30T00:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58189"
},
{
"type": "WEB",
"url": "https://go.dev/cl/707776"
},
{
"type": "WEB",
"url": "https://go.dev/issue/75652"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-4008"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/10/08/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CXVC-PVRC-8C3G
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36The NetIQ Identity Manager Oracle EBS driver before 4.0.2.0 sent EBS logs containing the driver authentication password, potentially disclosing this to attackers able to read the EBS tables.
{
"affected": [],
"aliases": [
"CVE-2017-9278"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-02T20:29:00Z",
"severity": "CRITICAL"
},
"details": "The NetIQ Identity Manager Oracle EBS driver before 4.0.2.0 sent EBS logs containing the driver authentication password, potentially disclosing this to attackers able to read the EBS tables.",
"id": "GHSA-cxvc-pvrc-8c3g",
"modified": "2022-05-13T01:36:09Z",
"published": "2022-05-13T01:36:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9278"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1053200"
},
{
"type": "WEB",
"url": "https://download.novell.com/Download?buildid=DKFkx_xPeaw~"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F24X-RM6G-3W5V
Vulnerability from github – Published: 2025-07-15 15:28 – Updated: 2025-07-15 15:28Summary
When using Directus Flows with the WebHook trigger, all incoming request details are logged including security sensitive data like access and refresh tokens in cookies.
Impact
Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "directus"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53886"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-15T15:28:26Z",
"nvd_published_at": "2025-07-15T00:15:23Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nWhen using Directus Flows with the WebHook trigger, all incoming request details are logged including security sensitive data like access and refresh tokens in cookies.\n\n### Impact\n\nMalicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow.",
"id": "GHSA-f24x-rm6g-3w5v",
"modified": "2025-07-15T15:28:26Z",
"published": "2025-07-15T15:28:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-f24x-rm6g-3w5v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53886"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff580e5"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/releases/tag/v11.9.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Directus tokens are not redacted in flow logs, exposing session credentials to all admin"
}
GHSA-F28J-GRW4-6GGJ
Vulnerability from github – Published: 2022-05-14 01:53 – Updated: 2022-05-14 01:53An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Sensitive Data Disclosure in Sidekiq Logs through an Error Message.
{
"affected": [],
"aliases": [
"CVE-2018-16049"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-03T16:29:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Sensitive Data Disclosure in Sidekiq Logs through an Error Message.",
"id": "GHSA-f28j-grw4-6ggj",
"modified": "2022-05-14T01:53:16Z",
"published": "2022-05-14T01:53:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16049"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/46967"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/49272"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.