CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1744 vulnerabilities reference this CWE, most recent first.
GHSA-F5PV-9WHQ-7MV7
Vulnerability from github – Published: 2026-02-18 18:30 – Updated: 2026-02-18 18:30In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.8, and 9.2.11, and Splunk Cloud Platform versions below 10.2.2510.0, 10.1.2507.11, 10.0.2503.9, and 9.3.2411.120, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the the Splunk _internal index could view the Security Assertion Markup Language (SAML) configurations for Attribute query requests (AQRs) or Authentication extensions in plain text within the conf.log file, depending on which feature is configured.
{
"affected": [],
"aliases": [
"CVE-2026-20144"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-18T18:24:29Z",
"severity": "MODERATE"
},
"details": "In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.8, and 9.2.11, and Splunk Cloud Platform versions below 10.2.2510.0, 10.1.2507.11, 10.0.2503.9, and 9.3.2411.120, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the the Splunk _internal index could view the Security Assertion Markup Language (SAML) configurations for Attribute query requests (AQRs) or Authentication extensions in plain text within the conf.log file, depending on which feature is configured.",
"id": "GHSA-f5pv-9whq-7mv7",
"modified": "2026-02-18T18:30:41Z",
"published": "2026-02-18T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20144"
},
{
"type": "WEB",
"url": "https://advisory.splunk.com/advisories/SVD-2026-0209"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F5V8-V6Q3-Q4H6
Vulnerability from github – Published: 2026-04-16 22:50 – Updated: 2026-04-16 22:50Summary
Meridian v2.1.0 (Meridian.Mapping and Meridian.Mediator) shipped with nine defense-in-depth gaps reachable through its public APIs. Two are HIGH severity — the advertised DefaultMaxCollectionItems and DefaultMaxDepth safety caps are silently bypassed on the IMapper.Map(source, destination) overload and anywhere .UseDestinationValue() is configured on a collection-typed property. Four are MEDIUM (constructor invariant bypass, OpenTelemetry stack-trace info disclosure, retry amplification, notification fan-out amplification). Three are LOW (exception message disclosure, dictionary duplicate-key echo, static mediator cache growth under closed-generic types).
All nine are patched in v2.1.1. Upgrade is a drop-in NuGet bump; see the v2.1.1 CHANGELOG for the four behavioural changes (constructor selection, OTel default, publisher fan-out cap, retry caps).
Severity Matrix
| # | Severity | CWE | Finding | Fix |
|---|---|---|---|---|
| 1 | HIGH | CWE-770 | MappingEngine.TryMapCollectionOntoExisting enumerated the source without enforcing DefaultMaxCollectionItems. Reachable via Mapper.Map<TSrc,TDst>(src, dst) and any .ForMember(..., o => o.UseDestinationValue()) on a collection member through a plain Map(src) call. |
Shared cap enforcement helper between MapCollection and TryMapCollectionOntoExisting. |
| 2 | HIGH | CWE-674 | Collection-item recursion in the existing-destination path did not increment ResolutionContext.Depth, so self-referential collection graphs could reach stack overflow before DefaultMaxDepth fired. |
Depth increments at every collection-item boundary. |
| 3 | MEDIUM | CWE-665 | ObjectCreator.CreateWithConstructorMapping always invoked the widest public constructor, silently filling unresolved parameters with default(T) and bypassing narrower-ctor invariants. |
Widest-ctor selection now requires every parameter to be bound via explicit ctor mapping, source-name match, or a C# optional default. |
| 4 | MEDIUM | CWE-532 | Mediator.MarkActivityFailure emitted the full ex.ToString() (stack + inner chain) to the OpenTelemetry exception.stacktrace activity tag by default, leaking context to any shared trace sink. |
Gated on MediatorTelemetryOptions.RecordExceptionStackTrace — opt-in, default false. |
| 5 | MEDIUM | CWE-400 | RetryBehavior retried every exception type with unbounded MaxRetries; the exponential-backoff delay overflowed TimeSpan at ~30 attempts. No cancellation exclusion. |
Server-side MaxRetriesCap = 10, MaxBackoff = 5 min, OperationCanceledException short-circuit, recommended RetryPolicy.TransientOnly helper. |
| 6 | MEDIUM | CWE-400 | TaskWhenAllPublisher started every registered handler concurrently with no bound on fan-out. |
New constructor parameter maxDegreeOfParallelism (default 16; -1 restores legacy unbounded). |
| 7 | LOW | CWE-209 | Public mapping exceptions leaked FullName of source/destination types and concatenated inner exception messages into top-level property-mapping errors. |
Scrubbed to type Name; inner details only via InnerException chain. |
| 8 | LOW | CWE-209 | Dictionary materialization threw ArgumentException on duplicate keys, echoing the attacker-supplied key's .ToString(). |
Last-write-wins indexer semantics. |
| 9 | LOW | CWE-1325 | Static mediator handler caches grow monotonically under closed-generic request types. Doc-only mitigation; no code change — consumers must not allow attacker-controlled runtime type materialization to reach Send, Publish, or CreateStream. |
Documented in docs/security-model.md. |
Exploitation
Finding 1 / 2 (headline): A consumer that maps user-supplied collection payloads onto an existing destination list via mapper.Map(userCollection, existingList) — a documented and commonly used AutoMapper-style idiom — processes the full attacker-supplied collection with no size cap and no depth cap. An attacker sending a single request with a large (or self-referential) collection payload can block the worker thread for seconds and exhaust the managed heap or the call stack. Equivalent exposure through .UseDestinationValue() on a collection-typed destination member, reachable via a plain Map(src) call whose destination type default-initializes that member.
Finding 3: A destination type with multiple public constructors that differ only in their parameter-binding invariants (e.g., new UserAccount(string name, Email email) enforcing a non-default Email) could be instantiated with the narrower ctor's invariants silently bypassed if any source field was absent — the widest ctor was always picked, with unbound parameters replaced by default(T).
Findings 4 / 5 / 6: Amplification / information-disclosure vectors described in the matrix above. Each requires moderate integration context (telemetry sink trust, handler count, retry policy) to weaponize, but each is reachable through public APIs without authentication.
Patches
Meridian.Mapping2.1.1 (published 2026-04-16)Meridian.Mediator2.1.1 (published 2026-04-16)
Verified via:
- GitHub Release assets at https://github.com/UmutKorkmaz/meridian/releases/tag/v2.1.1
- Sigstore attestation (actions/attest-build-provenance@v2 → gh attestation verify green on both .nupkg from the GitHub Release)
- NuGet.org indexed both packages within the release workflow run
Workarounds
Users who cannot upgrade immediately may:
1. Avoid mapper.Map(src, dst) and .UseDestinationValue() on collection-typed destination members.
2. Wrap input collection deserialization with an explicit size limit before handing the payload to Meridian.
3. Register TaskWhenAllPublisher with maxDegreeOfParallelism ≤ 16 manually (v2.1.1+ only).
4. Disable OpenTelemetry exception.stacktrace tag emission at the trace exporter level if your trace sink is less trusted than your application.
These are defense-in-depth; the only complete mitigation is upgrading to 2.1.1.
Supported Versions
As of this advisory the supported security branch is 2.1.x. The 2.0.x line (published 2026-04-15) is not receiving the Phase 1 safety-defaults infrastructure needed to carry the HIGH-severity fixes, so 2.0.x is deprecated in favor of 2.1.x. See SECURITY.md for the updated supported-versions table.
Credits
- UmutKorkmaz (reporter and maintainer)
References
- v2.1.1 CHANGELOG section: https://github.com/UmutKorkmaz/meridian/blob/main/CHANGELOG.md#211---2026-04-16
docs/security-model.mdthreat model: https://github.com/UmutKorkmaz/meridian/blob/main/docs/security-model.mdSECURITY.mddisclosure policy: https://github.com/UmutKorkmaz/meridian/blob/main/SECURITY.md- AutoMapper CVE-2026-32933 (motivating precedent for Meridian's safety-defaults)
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Meridian.Mapping"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Meridian.Mediator"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1325",
"CWE-209",
"CWE-400",
"CWE-532",
"CWE-665",
"CWE-674",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T22:50:37Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nMeridian v2.1.0 (`Meridian.Mapping` and `Meridian.Mediator`) shipped with nine defense-in-depth gaps reachable through its public APIs. Two are HIGH severity \u2014 the advertised `DefaultMaxCollectionItems` and `DefaultMaxDepth` safety caps are silently bypassed on the `IMapper.Map(source, destination)` overload and anywhere `.UseDestinationValue()` is configured on a collection-typed property. Four are MEDIUM (constructor invariant bypass, OpenTelemetry stack-trace info disclosure, retry amplification, notification fan-out amplification). Three are LOW (exception message disclosure, dictionary duplicate-key echo, static mediator cache growth under closed-generic types).\n\nAll nine are patched in **v2.1.1**. Upgrade is a drop-in NuGet bump; see the v2.1.1 CHANGELOG for the four behavioural changes (constructor selection, OTel default, publisher fan-out cap, retry caps).\n\n## Severity Matrix\n\n| # | Severity | CWE | Finding | Fix |\n|---|---|---|---|---|\n| 1 | **HIGH** | CWE-770 | `MappingEngine.TryMapCollectionOntoExisting` enumerated the source without enforcing `DefaultMaxCollectionItems`. Reachable via `Mapper.Map\u003cTSrc,TDst\u003e(src, dst)` and any `.ForMember(..., o =\u003e o.UseDestinationValue())` on a collection member through a plain `Map(src)` call. | Shared cap enforcement helper between `MapCollection` and `TryMapCollectionOntoExisting`. |\n| 2 | **HIGH** | CWE-674 | Collection-item recursion in the existing-destination path did not increment `ResolutionContext.Depth`, so self-referential collection graphs could reach stack overflow before `DefaultMaxDepth` fired. | Depth increments at every collection-item boundary. |\n| 3 | MEDIUM | CWE-665 | `ObjectCreator.CreateWithConstructorMapping` always invoked the widest public constructor, silently filling unresolved parameters with `default(T)` and bypassing narrower-ctor invariants. | Widest-ctor selection now requires every parameter to be bound via explicit ctor mapping, source-name match, or a C# optional default. |\n| 4 | MEDIUM | CWE-532 | `Mediator.MarkActivityFailure` emitted the full `ex.ToString()` (stack + inner chain) to the OpenTelemetry `exception.stacktrace` activity tag by default, leaking context to any shared trace sink. | Gated on `MediatorTelemetryOptions.RecordExceptionStackTrace` \u2014 opt-in, default `false`. |\n| 5 | MEDIUM | CWE-400 | `RetryBehavior` retried every exception type with unbounded `MaxRetries`; the exponential-backoff delay overflowed `TimeSpan` at ~30 attempts. No cancellation exclusion. | Server-side `MaxRetriesCap = 10`, `MaxBackoff = 5 min`, `OperationCanceledException` short-circuit, recommended `RetryPolicy.TransientOnly` helper. |\n| 6 | MEDIUM | CWE-400 | `TaskWhenAllPublisher` started every registered handler concurrently with no bound on fan-out. | New constructor parameter `maxDegreeOfParallelism` (default 16; `-1` restores legacy unbounded). |\n| 7 | LOW | CWE-209 | Public mapping exceptions leaked `FullName` of source/destination types and concatenated inner exception messages into top-level property-mapping errors. | Scrubbed to type `Name`; inner details only via `InnerException` chain. |\n| 8 | LOW | CWE-209 | Dictionary materialization threw `ArgumentException` on duplicate keys, echoing the attacker-supplied key\u0027s `.ToString()`. | Last-write-wins indexer semantics. |\n| 9 | LOW | CWE-1325 | Static mediator handler caches grow monotonically under closed-generic request types. **Doc-only mitigation**; no code change \u2014 consumers must not allow attacker-controlled runtime type materialization to reach `Send`, `Publish`, or `CreateStream`. | Documented in `docs/security-model.md`. |\n\n## Exploitation\n\n**Finding 1 / 2 (headline):** A consumer that maps user-supplied collection payloads onto an existing destination list via `mapper.Map(userCollection, existingList)` \u2014 a documented and commonly used AutoMapper-style idiom \u2014 processes the full attacker-supplied collection with no size cap and no depth cap. An attacker sending a single request with a large (or self-referential) collection payload can block the worker thread for seconds and exhaust the managed heap or the call stack. Equivalent exposure through `.UseDestinationValue()` on a collection-typed destination member, reachable via a plain `Map(src)` call whose destination type default-initializes that member.\n\n**Finding 3:** A destination type with multiple public constructors that differ only in their parameter-binding invariants (e.g., `new UserAccount(string name, Email email)` enforcing a non-default `Email`) could be instantiated with the narrower ctor\u0027s invariants silently bypassed if any source field was absent \u2014 the widest ctor was always picked, with unbound parameters replaced by `default(T)`.\n\n**Findings 4 / 5 / 6:** Amplification / information-disclosure vectors described in the matrix above. Each requires moderate integration context (telemetry sink trust, handler count, retry policy) to weaponize, but each is reachable through public APIs without authentication.\n\n## Patches\n\n- `Meridian.Mapping` **2.1.1** (published 2026-04-16)\n- `Meridian.Mediator` **2.1.1** (published 2026-04-16)\n\nVerified via:\n- GitHub Release assets at \u003chttps://github.com/UmutKorkmaz/meridian/releases/tag/v2.1.1\u003e\n- Sigstore attestation (`actions/attest-build-provenance@v2` \u2192 `gh attestation verify` green on both `.nupkg` from the GitHub Release)\n- NuGet.org indexed both packages within the release workflow run\n\n## Workarounds\n\nUsers who cannot upgrade immediately may:\n1. Avoid `mapper.Map(src, dst)` and `.UseDestinationValue()` on collection-typed destination members.\n2. Wrap input collection deserialization with an explicit size limit before handing the payload to Meridian.\n3. Register `TaskWhenAllPublisher` with `maxDegreeOfParallelism` \u2264 16 manually (v2.1.1+ only).\n4. Disable OpenTelemetry `exception.stacktrace` tag emission at the trace exporter level if your trace sink is less trusted than your application.\n\nThese are defense-in-depth; the only complete mitigation is upgrading to 2.1.1.\n\n## Supported Versions\n\nAs of this advisory the supported security branch is **2.1.x**. The 2.0.x line (published 2026-04-15) is not receiving the Phase 1 safety-defaults infrastructure needed to carry the HIGH-severity fixes, so 2.0.x is deprecated in favor of 2.1.x. See `SECURITY.md` for the updated supported-versions table.\n\n## Credits\n\n- UmutKorkmaz (reporter and maintainer)\n\n## References\n\n- v2.1.1 CHANGELOG section: \u003chttps://github.com/UmutKorkmaz/meridian/blob/main/CHANGELOG.md#211---2026-04-16\u003e\n- `docs/security-model.md` threat model: \u003chttps://github.com/UmutKorkmaz/meridian/blob/main/docs/security-model.md\u003e\n- `SECURITY.md` disclosure policy: \u003chttps://github.com/UmutKorkmaz/meridian/blob/main/SECURITY.md\u003e\n- AutoMapper CVE-2026-32933 (motivating precedent for Meridian\u0027s safety-defaults)",
"id": "GHSA-f5v8-v6q3-q4h6",
"modified": "2026-04-16T22:50:37Z",
"published": "2026-04-16T22:50:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/UmutKorkmaz/meridian/security/advisories/GHSA-f5v8-v6q3-q4h6"
},
{
"type": "PACKAGE",
"url": "https://github.com/UmutKorkmaz/meridian"
},
{
"type": "WEB",
"url": "https://github.com/UmutKorkmaz/meridian/blob/main/CHANGELOG.md#211---2026-04-16"
},
{
"type": "WEB",
"url": "https://github.com/UmutKorkmaz/meridian/releases/tag/v2.1.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Meridian: Multiple defense-in-depth gaps (collection/depth caps, telemetry, retry, fan-out)"
}
GHSA-F63F-F9WJ-5WJG
Vulnerability from github – Published: 2024-11-29 12:31 – Updated: 2024-12-03 21:31Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p22, <2.2.0p37, <2.1.0p50 (EOL) causes remote site secrets to be written to web log files accessible to local site users.
{
"affected": [],
"aliases": [
"CVE-2024-47094"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-29T10:15:10Z",
"severity": "MODERATE"
},
"details": "Insertion of Sensitive Information into Log File in Checkmk GmbH\u0027s Checkmk versions \u003c2.3.0p22, \u003c2.2.0p37, \u003c2.1.0p50 (EOL) causes remote site secrets to be written to web log files accessible to local site users.",
"id": "GHSA-f63f-f9wj-5wjg",
"modified": "2024-12-03T21:31:21Z",
"published": "2024-11-29T12:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47094"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/17342"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F68G-4P63-5WH7
Vulnerability from github – Published: 2022-05-14 01:04 – Updated: 2022-05-14 01:04A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.
{
"affected": [],
"aliases": [
"CVE-2018-19865"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-05T11:29:00Z",
"severity": "HIGH"
},
"details": "A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.",
"id": "GHSA-f68g-4p63-5wh7",
"modified": "2022-05-14T01:04:11Z",
"published": "2022-05-14T01:04:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19865"
},
{
"type": "WEB",
"url": "https://codereview.qt-project.org/#/c/243666"
},
{
"type": "WEB",
"url": "https://codereview.qt-project.org/#/c/244569"
},
{
"type": "WEB",
"url": "https://codereview.qt-project.org/#/c/244687"
},
{
"type": "WEB",
"url": "https://codereview.qt-project.org/#/c/244845"
},
{
"type": "WEB",
"url": "https://codereview.qt-project.org/#/c/245283"
},
{
"type": "WEB",
"url": "https://codereview.qt-project.org/#/c/245293"
},
{
"type": "WEB",
"url": "https://codereview.qt-project.org/#/c/245312"
},
{
"type": "WEB",
"url": "https://codereview.qt-project.org/#/c/245638"
},
{
"type": "WEB",
"url": "https://codereview.qt-project.org/#/c/245640"
},
{
"type": "WEB",
"url": "https://codereview.qt-project.org/#/c/246630"
},
{
"type": "WEB",
"url": "http://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00085.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00086.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F69J-QX6J-7FQ8
Vulnerability from github – Published: 2025-07-11 00:30 – Updated: 2025-08-27 18:31Brocade SANnav before Brocade SANnav 2.4.0a could log database passwords in clear text in audit logs when the daily data dump collector invokes docker exec commands. These audit logs are the local server VM’s audit logs and are not controlled by SANnav. These logs are only visible to the server admin of the host server and are not visible to the SANnav admin or any SANnav user.
{
"affected": [],
"aliases": [
"CVE-2025-6392"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-10T22:15:24Z",
"severity": "MODERATE"
},
"details": "Brocade SANnav before Brocade SANnav 2.4.0a could log database passwords in clear text in audit logs when the daily data dump collector invokes docker exec commands. These audit logs are the local server VM\u2019s audit logs and are not controlled by SANnav. These logs are only visible to the server admin of the host server and are not visible to the SANnav admin or any SANnav user.",
"id": "GHSA-f69j-qx6j-7fq8",
"modified": "2025-08-27T18:31:50Z",
"published": "2025-07-11T00:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6392"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35910"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F6CJ-4H3G-HWQ4
Vulnerability from github – Published: 2024-08-03 18:30 – Updated: 2024-08-07 19:40APM server logs contain document body from a partially failed bulk index request. For example, in case of unavailable_shards_exception for a specific document, since the ES response line contains the document body, and that APM server logs the ES response line on error, the document is effectively logged.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/elastic/apm-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.14.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-37286"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-05T14:40:19Z",
"nvd_published_at": "2024-08-03T16:15:49Z",
"severity": "MODERATE"
},
"details": "APM server logs contain document body from a partially failed bulk index request. For example, in case of unavailable_shards_exception for a specific document, since the ES response line contains the document body, and that APM server logs the ES response line on error, the document is effectively logged.",
"id": "GHSA-f6cj-4h3g-hwq4",
"modified": "2024-08-07T19:40:43Z",
"published": "2024-08-03T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37286"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/apm-server-8-14-0-security-update-esa-2024-19/364289"
},
{
"type": "PACKAGE",
"url": "https://github.com/elastic/apm-server"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-3037"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "APM Server vulnerable to Insertion of Sensitive Information into Log File"
}
GHSA-F6FC-9FWC-Q7RW
Vulnerability from github – Published: 2024-08-03 15:30 – Updated: 2024-08-03 15:30IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 stores potentially sensitive information in log files under certain situations that could be read by an authenticated user. IBM X-Force ID: 284868.
{
"affected": [],
"aliases": [
"CVE-2024-38321"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-03T14:15:48Z",
"severity": "MODERATE"
},
"details": "IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 stores potentially sensitive information in log files under certain situations that could be read by an authenticated user. IBM X-Force ID: 284868.",
"id": "GHSA-f6fc-9fwc-q7rw",
"modified": "2024-08-03T15:30:34Z",
"published": "2024-08-03T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38321"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/294868"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7162334"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F6M8-CPJP-PWMJ
Vulnerability from github – Published: 2023-01-20 21:30 – Updated: 2023-01-27 15:30IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.6.0 stores potentially sensitive information in log files that could be read by a privileged user. IBM X-Force ID: 213645.
{
"affected": [],
"aliases": [
"CVE-2021-39011"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-20T19:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.6.0 stores potentially sensitive information in log files that could be read by a privileged user. IBM X-Force ID: 213645.",
"id": "GHSA-f6m8-cpjp-pwmj",
"modified": "2023-01-27T15:30:32Z",
"published": "2023-01-20T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39011"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/213645"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6856403"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F6MM-5FC7-3G3C
Vulnerability from github – Published: 2024-05-15 17:17 – Updated: 2024-05-15 17:17Summary
Since #4787 the log output is printed on the INFO level, while previously it was logged on DEBUG. This means if the go build output is non-empty, goreleaser leaks the environment.
PoC
- Create a Go project with dependencies, do not pull them yet (or run goreleaser later in a container, or delete
$GOPATH/pkg). - Make sure to have secrets set in the environment
- Make sure to not have
go mod tidyin a before hook - Run
goreleaser release --clean - Go prints lots of
go: downloading ...lines, which triggers the "if output not empty, log it" line, which includes the environment.
Impact
Credentials and tokens are leaked.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/goreleaser/goreleaser"
},
"ranges": [
{
"events": [
{
"introduced": "1.26.0"
},
{
"fixed": "1.26.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.26.0"
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-15T17:17:10Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nSince #4787 the log output is printed on the INFO level, while previously it was logged on DEBUG. This means if the `go build` output is non-empty, goreleaser leaks the environment.\n\n### PoC\n* Create a Go project with dependencies, do not pull them yet (or run goreleaser later in a container, or delete `$GOPATH/pkg`).\n* Make sure to have secrets set in the environment\n* Make sure to not have `go mod tidy` in a before hook\n* Run `goreleaser release --clean`\n* Go prints lots of `go: downloading ...` lines, which triggers the \"if output not empty, log it\" line, which includes the environment.\n\n### Impact\nCredentials and tokens are leaked.",
"id": "GHSA-f6mm-5fc7-3g3c",
"modified": "2024-05-15T17:17:10Z",
"published": "2024-05-15T17:17:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/goreleaser/goreleaser/security/advisories/GHSA-f6mm-5fc7-3g3c"
},
{
"type": "WEB",
"url": "https://github.com/goreleaser/goreleaser/pull/4787"
},
{
"type": "WEB",
"url": "https://github.com/goreleaser/goreleaser/commit/22f734e41f7a5111a031a3a4eb714c1b6aa6456b"
},
{
"type": "PACKAGE",
"url": "https://github.com/goreleaser/goreleaser"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "goreleaser shows environment by default"
}
GHSA-F6RF-PQGW-R55H
Vulnerability from github – Published: 2025-07-30 18:31 – Updated: 2025-07-30 18:31TechAdvisor versions 2.6 through 3.37-30 for Dell XtremIO X2, contain(s) an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.
{
"affected": [],
"aliases": [
"CVE-2025-26332"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-30T18:15:30Z",
"severity": "HIGH"
},
"details": "TechAdvisor versions 2.6 through 3.37-30 for Dell XtremIO X2, contain(s) an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.",
"id": "GHSA-f6rf-pqgw-r55h",
"modified": "2025-07-30T18:31:37Z",
"published": "2025-07-30T18:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26332"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000337241/dsa-2025-108-security-update-for-dell-emc-xtremio-x2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.