Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1743 vulnerabilities reference this CWE, most recent first.

GHSA-F347-P5G7-4GG7

Vulnerability from github – Published: 2023-11-27 15:30 – Updated: 2023-11-27 15:30
VLAI
Details

Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.8 allows local attacker to retrieve passwords via reading log files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6287"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-532",
      "CWE-598"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-27T14:15:08Z",
    "severity": "LOW"
  },
  "details": "Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.8 allows local attacker to retrieve passwords via reading log files.",
  "id": "GHSA-f347-p5g7-4gg7",
  "modified": "2023-11-27T15:30:56Z",
  "published": "2023-11-27T15:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6287"
    },
    {
      "type": "WEB",
      "url": "https://checkmk.com/werk/9554"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F38Q-M6VQ-6XCX

Vulnerability from github – Published: 2025-07-08 18:31 – Updated: 2025-07-08 18:31
VLAI
Details

Insertion of sensitive information into a log file in Ivanti Connect Secure before version 22.7R2.8 allows a local authenticated attacker to obtain that information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-5464"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-08T16:15:58Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of sensitive information into a log file in Ivanti Connect Secure before version 22.7R2.8 allows a local authenticated attacker to obtain that information.",
  "id": "GHSA-f38q-m6vq-6xcx",
  "modified": "2025-07-08T18:31:43Z",
  "published": "2025-07-08T18:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5464"
    },
    {
      "type": "WEB",
      "url": "https://forums.ivanti.com/s/article/July-Security-Advisory-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Multiple-CVEs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F3C7-2M22-WR7X

Vulnerability from github – Published: 2024-08-22 03:31 – Updated: 2024-08-26 15:31
VLAI
Details

Retool (self-hosted enterprise) through 3.40.0 inserts resource authentication credentials into sent data. Credentials for users with "Use" permissions can be discovered (by an authenticated attacker) via the /api/resources endpoint. The earliest affected version is 3.18.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42056"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352",
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-22T01:15:03Z",
    "severity": "MODERATE"
  },
  "details": "Retool (self-hosted enterprise) through 3.40.0 inserts resource authentication credentials into sent data. Credentials for users with \"Use\" permissions can be discovered (by an authenticated attacker) via the /api/resources endpoint. The earliest affected version is 3.18.1.",
  "id": "GHSA-f3c7-2m22-wr7x",
  "modified": "2024-08-26T15:31:14Z",
  "published": "2024-08-22T03:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42056"
    },
    {
      "type": "WEB",
      "url": "https://docs.retool.com/disclosures/cve-2024-42056"
    },
    {
      "type": "WEB",
      "url": "https://docs.retool.com/releases"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F42P-PXC9-254G

Vulnerability from github – Published: 2025-05-13 06:30 – Updated: 2025-05-13 06:30
VLAI
Details

Cloud Foundry UAA release versions from v77.21.0 to v7.31.0 are vulnerable to a private key exposure in logs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22246"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-13T06:15:35Z",
    "severity": "LOW"
  },
  "details": "Cloud Foundry UAA release versions from v77.21.0 to v7.31.0 are vulnerable to a private key exposure in logs.",
  "id": "GHSA-f42p-pxc9-254g",
  "modified": "2025-05-13T06:30:24Z",
  "published": "2025-05-13T06:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22246"
    },
    {
      "type": "WEB",
      "url": "https://www.cloudfoundry.org/blog/cve-2025-22246-uaa-private-key-exposure"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F435-MVRP-XRQP

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

In onNotificationRemoved of Assistant.java, there is a possible leak of sensitive information to logs. This could lead to local information disclosure with System execution privileges required. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-162014574

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-0476"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-15T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In onNotificationRemoved of Assistant.java, there is a possible leak of sensitive information to logs. This could lead to local information disclosure with System execution privileges required. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-162014574",
  "id": "GHSA-f435-mvrp-xrqp",
  "modified": "2022-05-24T17:36:24Z",
  "published": "2022-05-24T17:36:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0476"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2020-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-F43W-3FR5-H2M3

Vulnerability from github – Published: 2026-04-09 12:31 – Updated: 2026-04-20 18:31
VLAI
Details

Hydrosystem Control System saves sensitive information into a log file. Critically, user credentials are logged allowing the attacker to obtain further authorized access into the system. Combined with vulnerability CVE-2026-34184, these sensitive information could be accessed by an unauthorized user.This issue was fixed in Hydrosystem Control System version 9.8.5

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4901"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-09T10:16:22Z",
    "severity": "MODERATE"
  },
  "details": "Hydrosystem Control System saves sensitive information into a log file. Critically, user credentials are logged allowing the attacker to obtain further authorized access into the system. Combined with vulnerability CVE-2026-34184, these sensitive information could be accessed by an unauthorized user.This issue was fixed in Hydrosystem Control System version 9.8.5",
  "id": "GHSA-f43w-3fr5-h2m3",
  "modified": "2026-04-20T18:31:43Z",
  "published": "2026-04-09T12:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4901"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/posts/2026/04/CVE-2026-4901"
    },
    {
      "type": "WEB",
      "url": "https://www.hydrosystem.poznan.pl"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-F4G4-CJ8F-3CR9

Vulnerability from github – Published: 2022-05-14 03:53 – Updated: 2024-05-14 21:13
VLAI
Summary
OpenStack Nova logs sensitive context from notification exceptions
Details

An issue was discovered in exception_wrapper.py in OpenStack Nova 13.x through 13.1.3, 14.x through 14.0.4, and 15.x through 15.0.1. Legacy notification exception contexts appearing in ERROR level logs may include sensitive information such as account passwords and authorization tokens.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nova"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nova"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0.0"
            },
            {
              "fixed": "14.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nova"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0.1"
            },
            {
              "fixed": "15.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-7214"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-14T21:13:46Z",
    "nvd_published_at": "2017-03-21T18:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in exception_wrapper.py in OpenStack Nova 13.x through 13.1.3, 14.x through 14.0.4, and 15.x through 15.0.1. Legacy notification exception contexts appearing in ERROR level logs may include sensitive information such as account passwords and authorization tokens.",
  "id": "GHSA-f4g4-cj8f-3cr9",
  "modified": "2024-05-14T21:13:46Z",
  "published": "2022-05-14T03:53:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7214"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/nova/commit/3f985f1eda6f29180878a3d21c20c5057179486a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/nova/commit/acb19160d4d348e29a21ad57c61c7369352c4d1c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/nova/commit/c2c91ce44592fc5dc2aacee1cf7f5b5cfd2e9a0a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/nova/commit/e193201fa1de5b08b29adefd8c149935c5529598"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1508"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1595"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openstack/nova"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.net/bugs/1673569"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96998"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenStack Nova logs sensitive context from notification exceptions"
}

GHSA-F525-QQCM-4WW9

Vulnerability from github – Published: 2024-04-10 18:30 – Updated: 2025-04-08 18:34
VLAI
Details

Insertion of Sensitive Information into Log File vulnerability in WPKube Subscribe To Comments Reloaded.This issue affects Subscribe To Comments Reloaded: from n/a through 220725.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31249"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-10T16:15:12Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of Sensitive Information into Log File vulnerability in WPKube Subscribe To Comments Reloaded.This issue affects Subscribe To Comments Reloaded: from n/a through 220725.",
  "id": "GHSA-f525-qqcm-4ww9",
  "modified": "2025-04-08T18:34:11Z",
  "published": "2024-04-10T18:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31249"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-220725-sensitive-data-exposure-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F57P-H4RV-RVH6

Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30
VLAI
Details

Insertion of sensitive information into log file in Windows ETL Channel allows an authorized attacker to disclose information locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59197"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T17:15:58Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of sensitive information into log file in Windows ETL Channel allows an authorized attacker to disclose information locally.",
  "id": "GHSA-f57p-h4rv-rvh6",
  "modified": "2025-10-14T18:30:34Z",
  "published": "2025-10-14T18:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59197"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59197"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F5C6-33CF-R833

Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20
VLAI
Details

Insertion of information into log file in firmware for some Intel(R) SSD DC may allow a privileged user to potentially enable information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0148"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-17T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of information into log file in firmware for some Intel(R) SSD DC may allow a privileged user to potentially enable information disclosure via local access.",
  "id": "GHSA-f5c6-33cf-r833",
  "modified": "2022-05-24T19:20:59Z",
  "published": "2022-05-24T19:20:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0148"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00535.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.