CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1743 vulnerabilities reference this CWE, most recent first.
GHSA-F347-P5G7-4GG7
Vulnerability from github – Published: 2023-11-27 15:30 – Updated: 2023-11-27 15:30Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.8 allows local attacker to retrieve passwords via reading log files.
{
"affected": [],
"aliases": [
"CVE-2023-6287"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532",
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-27T14:15:08Z",
"severity": "LOW"
},
"details": "Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.8 allows local attacker to retrieve passwords via reading log files.",
"id": "GHSA-f347-p5g7-4gg7",
"modified": "2023-11-27T15:30:56Z",
"published": "2023-11-27T15:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6287"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/9554"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F38Q-M6VQ-6XCX
Vulnerability from github – Published: 2025-07-08 18:31 – Updated: 2025-07-08 18:31Insertion of sensitive information into a log file in Ivanti Connect Secure before version 22.7R2.8 allows a local authenticated attacker to obtain that information.
{
"affected": [],
"aliases": [
"CVE-2025-5464"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T16:15:58Z",
"severity": "MODERATE"
},
"details": "Insertion of sensitive information into a log file in Ivanti Connect Secure before version 22.7R2.8 allows a local authenticated attacker to obtain that information.",
"id": "GHSA-f38q-m6vq-6xcx",
"modified": "2025-07-08T18:31:43Z",
"published": "2025-07-08T18:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5464"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/July-Security-Advisory-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Multiple-CVEs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F3C7-2M22-WR7X
Vulnerability from github – Published: 2024-08-22 03:31 – Updated: 2024-08-26 15:31Retool (self-hosted enterprise) through 3.40.0 inserts resource authentication credentials into sent data. Credentials for users with "Use" permissions can be discovered (by an authenticated attacker) via the /api/resources endpoint. The earliest affected version is 3.18.1.
{
"affected": [],
"aliases": [
"CVE-2024-42056"
],
"database_specific": {
"cwe_ids": [
"CWE-352",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-22T01:15:03Z",
"severity": "MODERATE"
},
"details": "Retool (self-hosted enterprise) through 3.40.0 inserts resource authentication credentials into sent data. Credentials for users with \"Use\" permissions can be discovered (by an authenticated attacker) via the /api/resources endpoint. The earliest affected version is 3.18.1.",
"id": "GHSA-f3c7-2m22-wr7x",
"modified": "2024-08-26T15:31:14Z",
"published": "2024-08-22T03:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42056"
},
{
"type": "WEB",
"url": "https://docs.retool.com/disclosures/cve-2024-42056"
},
{
"type": "WEB",
"url": "https://docs.retool.com/releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F42P-PXC9-254G
Vulnerability from github – Published: 2025-05-13 06:30 – Updated: 2025-05-13 06:30Cloud Foundry UAA release versions from v77.21.0 to v7.31.0 are vulnerable to a private key exposure in logs.
{
"affected": [],
"aliases": [
"CVE-2025-22246"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-13T06:15:35Z",
"severity": "LOW"
},
"details": "Cloud Foundry UAA release versions from v77.21.0 to v7.31.0 are vulnerable to a private key exposure in logs.",
"id": "GHSA-f42p-pxc9-254g",
"modified": "2025-05-13T06:30:24Z",
"published": "2025-05-13T06:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22246"
},
{
"type": "WEB",
"url": "https://www.cloudfoundry.org/blog/cve-2025-22246-uaa-private-key-exposure"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F435-MVRP-XRQP
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36In onNotificationRemoved of Assistant.java, there is a possible leak of sensitive information to logs. This could lead to local information disclosure with System execution privileges required. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-162014574
{
"affected": [],
"aliases": [
"CVE-2020-0476"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-15T16:15:00Z",
"severity": "MODERATE"
},
"details": "In onNotificationRemoved of Assistant.java, there is a possible leak of sensitive information to logs. This could lead to local information disclosure with System execution privileges required. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-162014574",
"id": "GHSA-f435-mvrp-xrqp",
"modified": "2022-05-24T17:36:24Z",
"published": "2022-05-24T17:36:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0476"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2020-12-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-F43W-3FR5-H2M3
Vulnerability from github – Published: 2026-04-09 12:31 – Updated: 2026-04-20 18:31Hydrosystem Control System saves sensitive information into a log file. Critically, user credentials are logged allowing the attacker to obtain further authorized access into the system. Combined with vulnerability CVE-2026-34184, these sensitive information could be accessed by an unauthorized user.This issue was fixed in Hydrosystem Control System version 9.8.5
{
"affected": [],
"aliases": [
"CVE-2026-4901"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-09T10:16:22Z",
"severity": "MODERATE"
},
"details": "Hydrosystem Control System saves sensitive information into a log file. Critically, user credentials are logged allowing the attacker to obtain further authorized access into the system. Combined with vulnerability CVE-2026-34184, these sensitive information could be accessed by an unauthorized user.This issue was fixed in Hydrosystem Control System version 9.8.5",
"id": "GHSA-f43w-3fr5-h2m3",
"modified": "2026-04-20T18:31:43Z",
"published": "2026-04-09T12:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4901"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2026/04/CVE-2026-4901"
},
{
"type": "WEB",
"url": "https://www.hydrosystem.poznan.pl"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F4G4-CJ8F-3CR9
Vulnerability from github – Published: 2022-05-14 03:53 – Updated: 2024-05-14 21:13An issue was discovered in exception_wrapper.py in OpenStack Nova 13.x through 13.1.3, 14.x through 14.0.4, and 15.x through 15.0.1. Legacy notification exception contexts appearing in ERROR level logs may include sensitive information such as account passwords and authorization tokens.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "nova"
},
"ranges": [
{
"events": [
{
"introduced": "13.0.0"
},
{
"fixed": "13.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "nova"
},
"ranges": [
{
"events": [
{
"introduced": "14.0.0"
},
{
"fixed": "14.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "nova"
},
"ranges": [
{
"events": [
{
"introduced": "15.0.1"
},
{
"fixed": "15.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-7214"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-14T21:13:46Z",
"nvd_published_at": "2017-03-21T18:59:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in exception_wrapper.py in OpenStack Nova 13.x through 13.1.3, 14.x through 14.0.4, and 15.x through 15.0.1. Legacy notification exception contexts appearing in ERROR level logs may include sensitive information such as account passwords and authorization tokens.",
"id": "GHSA-f4g4-cj8f-3cr9",
"modified": "2024-05-14T21:13:46Z",
"published": "2022-05-14T03:53:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7214"
},
{
"type": "WEB",
"url": "https://github.com/openstack/nova/commit/3f985f1eda6f29180878a3d21c20c5057179486a"
},
{
"type": "WEB",
"url": "https://github.com/openstack/nova/commit/acb19160d4d348e29a21ad57c61c7369352c4d1c"
},
{
"type": "WEB",
"url": "https://github.com/openstack/nova/commit/c2c91ce44592fc5dc2aacee1cf7f5b5cfd2e9a0a"
},
{
"type": "WEB",
"url": "https://github.com/openstack/nova/commit/e193201fa1de5b08b29adefd8c149935c5529598"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1508"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1595"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/nova"
},
{
"type": "WEB",
"url": "https://launchpad.net/bugs/1673569"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96998"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenStack Nova logs sensitive context from notification exceptions"
}
GHSA-F525-QQCM-4WW9
Vulnerability from github – Published: 2024-04-10 18:30 – Updated: 2025-04-08 18:34Insertion of Sensitive Information into Log File vulnerability in WPKube Subscribe To Comments Reloaded.This issue affects Subscribe To Comments Reloaded: from n/a through 220725.
{
"affected": [],
"aliases": [
"CVE-2024-31249"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-10T16:15:12Z",
"severity": "MODERATE"
},
"details": "Insertion of Sensitive Information into Log File vulnerability in WPKube Subscribe To Comments Reloaded.This issue affects Subscribe To Comments Reloaded: from n/a through 220725.",
"id": "GHSA-f525-qqcm-4ww9",
"modified": "2025-04-08T18:34:11Z",
"published": "2024-04-10T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31249"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-220725-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F57P-H4RV-RVH6
Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30Insertion of sensitive information into log file in Windows ETL Channel allows an authorized attacker to disclose information locally.
{
"affected": [],
"aliases": [
"CVE-2025-59197"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T17:15:58Z",
"severity": "MODERATE"
},
"details": "Insertion of sensitive information into log file in Windows ETL Channel allows an authorized attacker to disclose information locally.",
"id": "GHSA-f57p-h4rv-rvh6",
"modified": "2025-10-14T18:30:34Z",
"published": "2025-10-14T18:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59197"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59197"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F5C6-33CF-R833
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20Insertion of information into log file in firmware for some Intel(R) SSD DC may allow a privileged user to potentially enable information disclosure via local access.
{
"affected": [],
"aliases": [
"CVE-2021-0148"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-17T20:15:00Z",
"severity": "MODERATE"
},
"details": "Insertion of information into log file in firmware for some Intel(R) SSD DC may allow a privileged user to potentially enable information disclosure via local access.",
"id": "GHSA-f5c6-33cf-r833",
"modified": "2022-05-24T19:20:59Z",
"published": "2022-05-24T19:20:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0148"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00535.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.