CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1744 vulnerabilities reference this CWE, most recent first.
GHSA-GW5C-576J-PF63
Vulnerability from github – Published: 2025-10-16 15:30 – Updated: 2025-10-16 15:30A insertion of sensitive information into log file in Fortinet FortiDLP 12.0.0 through 12.0.5, 11.5.1, 11.4.6, 11.4.5 allows attacker to information disclosure via re-using the enrollment code.
{
"affected": [],
"aliases": [
"CVE-2025-46752"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-16T14:15:35Z",
"severity": "MODERATE"
},
"details": "A insertion of sensitive information into log file in Fortinet FortiDLP 12.0.0 through 12.0.5, 11.5.1, 11.4.6, 11.4.5 allows attacker to information disclosure via re-using the enrollment code.",
"id": "GHSA-gw5c-576j-pf63",
"modified": "2025-10-16T15:30:42Z",
"published": "2025-10-16T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46752"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-160"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GWPF-62XP-VRG6
Vulnerability from github – Published: 2020-09-11 21:14 – Updated: 2021-09-28 16:53Versions of cordova-android prior to 6.0.0 are vulnerable to Information Exposure through log files. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default, a maximum of four 16 KB rotated logs are kept in addition to the current log. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications.
Recommendation
Upgrade to version 6.0.0 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "cordova-android"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-6799"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:42:13Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Versions of `cordova-android` prior to 6.0.0 are vulnerable to Information Exposure through log files. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default, a maximum of four 16 KB rotated logs are kept in addition to the current log. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications.\n\n\n## Recommendation\n\nUpgrade to version 6.0.0 or later.",
"id": "GHSA-gwpf-62xp-vrg6",
"modified": "2021-09-28T16:53:04Z",
"published": "2020-09-11T21:14:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6799"
},
{
"type": "WEB",
"url": "https://github.com/apache/cordova-android/commit/4a0a7bc424fae14c9689f4a8a2dc250ae3a47f82"
},
{
"type": "WEB",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6799"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/cordova-android"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/1f3e7b0319d64b455f73616f572acee36fbca31f87f5b2e509c45b69@%3Cdev.cordova.apache.org%3E"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-CORDOVAANDROID-174935"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/964"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98365"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Information Exposure in cordova-android"
}
GHSA-GXJ4-3CXJ-Q8MP
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45There is an information leakage vulnerability in some huawei products. Due to the properly storage of specific information in the log file, the attacker can obtain the information when a user logs in to the device. Successful exploit may cause an information leak. Affected product versions include: NIP6300 versions V500R001C00,V500R001C20,V500R001C30;NIP6600 versions V500R001C00,V500R001C20,V500R001C30;Secospace USG6300 versions V500R001C00,V500R001C20,V500R001C30;Secospace USG6500 versions V500R001C00,V500R001C20,V500R001C30;Secospace USG6600 versions V500R001C00,V500R001C20,V500R001C30,V500R001C50,V500R001C60,V500R001C80;USG9500 versions V500R005C00,V500R005C10.
{
"affected": [],
"aliases": [
"CVE-2021-22310"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-22T19:15:00Z",
"severity": "MODERATE"
},
"details": "There is an information leakage vulnerability in some huawei products. Due to the properly storage of specific information in the log file, the attacker can obtain the information when a user logs in to the device. Successful exploit may cause an information leak. Affected product versions include: NIP6300 versions V500R001C00,V500R001C20,V500R001C30;NIP6600 versions V500R001C00,V500R001C20,V500R001C30;Secospace USG6300 versions V500R001C00,V500R001C20,V500R001C30;Secospace USG6500 versions V500R001C00,V500R001C20,V500R001C30;Secospace USG6600 versions V500R001C00,V500R001C20,V500R001C30,V500R001C50,V500R001C60,V500R001C80;USG9500 versions V500R005C00,V500R005C10.",
"id": "GHSA-gxj4-3cxj-q8mp",
"modified": "2022-05-24T17:45:00Z",
"published": "2022-05-24T17:45:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22310"
},
{
"type": "WEB",
"url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210203-01-plaintextlog-en"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GXV8-GGVR-3R24
Vulnerability from github – Published: 2026-07-15 12:32 – Updated: 2026-07-15 12:32Dell PowerScale OneFS versions 9.5.0.0 through 9.10.1.7, versions 9.11.0.0 through 9.13.0.2 contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure.
{
"affected": [],
"aliases": [
"CVE-2026-40633"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-15T11:16:25Z",
"severity": "HIGH"
},
"details": "Dell PowerScale OneFS versions 9.5.0.0 through 9.10.1.7, versions 9.11.0.0 through 9.13.0.2 contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure.",
"id": "GHSA-gxv8-ggvr-3r24",
"modified": "2026-07-15T12:32:01Z",
"published": "2026-07-15T12:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40633"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000483600/dsa-2026-261-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H2FP-W5PW-3H9Q
Vulnerability from github – Published: 2023-02-09 21:30 – Updated: 2023-02-21 18:30Exposure of Sensitive Information vulnerability in Fingerprint TA prior to SMR Feb-2023 Release 1 allows attackers to access the memory address information via log.
{
"affected": [],
"aliases": [
"CVE-2023-21435"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-09T19:15:00Z",
"severity": "MODERATE"
},
"details": "Exposure of Sensitive Information vulnerability in Fingerprint TA prior to SMR Feb-2023 Release 1 allows attackers to access the memory address information via log.",
"id": "GHSA-h2fp-w5pw-3h9q",
"modified": "2023-02-21T18:30:24Z",
"published": "2023-02-09T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21435"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2023\u0026month=02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H2GH-JQX7-WCJ7
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20A vulnerability has been identified in SIMATIC PCS 7 V8.2 and earlier (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions), SIMATIC WinCC V15 and earlier (All versions), SIMATIC WinCC V16 (All versions), SIMATIC WinCC V17 (All versions), SIMATIC WinCC V7.4 and earlier (All versions), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 5). The affected systems store sensitive information in log files. An attacker with access to the log files could publicly expose the information or reuse it to develop further attacks on the system.
{
"affected": [],
"aliases": [
"CVE-2021-40364"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-09T12:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SIMATIC PCS 7 V8.2 and earlier (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions), SIMATIC WinCC V15 and earlier (All versions), SIMATIC WinCC V16 (All versions), SIMATIC WinCC V17 (All versions), SIMATIC WinCC V7.4 and earlier (All versions), SIMATIC WinCC V7.5 (All versions \u003c V7.5 SP2 Update 5). The affected systems store sensitive information in log files. An attacker with access to the log files could publicly expose the information or reuse it to develop further attacks on the system.",
"id": "GHSA-h2gh-jqx7-wcj7",
"modified": "2022-05-24T19:20:10Z",
"published": "2022-05-24T19:20:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40364"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-840188.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H2PH-VHM7-G4HP
Vulnerability from github – Published: 2022-12-08 16:11 – Updated: 2022-12-09 15:20Impact
There is a potential vulnerability in Traefik displaying the Authorization header in its debug logs.
Traefik uses oxy to provide the following features:
- Round Robin: https://doc.traefik.io/traefik/routing/services/#weighted-round-robin-service
- Buffering: https://doc.traefik.io/traefik/middlewares/http/buffering/
- Circuit Breaker: https://doc.traefik.io/traefik/middlewares/http/circuitbreaker/
- In-Flight Requests: https://doc.traefik.io/traefik/middlewares/http/inflightreq/
In such cases, if the log level is set to DEBUG, the credentials provided using the Authorization header are displayed in the debug logs:
level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\\"Method\\":\\"POST\\",\\"URL\\":{\\"Scheme\\":\\"\\",\\"Opaque\\":\\"\\",\\"User\\":null,\\"Host\\":\\"\\",\\"Path\\":\\"/<redacted>/<redacted>\\",\\"RawPath\\":\\"\\",\\"ForceQuery\\":false,\\"RawQuery\\":\\"\\",\\"Fragment\\":\\"\\",\\"RawFragment\\":\\"\\"},\\"Proto\\":\\"HTTP/2.0\\",\\"ProtoMajor\\":2,\\"ProtoMinor\\":0,\\"Header\\":{\\"Authorization\\":[\\"Bearer <token value was here>\\"],\\"Content-Type\\":[\\"application/grpc\\"],\\"Grpc-Accept-Encoding\\":[\\"gzip\\"],\\"Grpc-Timeout\\":[\\"29999886u\\"],\\"Te\\":[\\"trailers\\"],\\"User-Agent\\":[\\"<redacted>\\"],<remainder of log message removed>
Patches
https://github.com/traefik/traefik/pull/9574 https://github.com/traefik/traefik/releases/tag/v2.9.6
Workarounds
Set the log level to INFO, WARN, or ERROR.
For more information
If you have any questions or comments about this advisory, please open an issue.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.9.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23469"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-08T16:11:37Z",
"nvd_published_at": "2022-12-08T22:15:00Z",
"severity": "LOW"
},
"details": "### Impact\n\nThere is a potential vulnerability in Traefik displaying the Authorization header in its debug logs.\n\nTraefik uses [oxy](https://github.com/vulcand/oxy) to provide the following features:\n\n- Round Robin: https://doc.traefik.io/traefik/routing/services/#weighted-round-robin-service\n- Buffering: https://doc.traefik.io/traefik/middlewares/http/buffering/\n- Circuit Breaker: https://doc.traefik.io/traefik/middlewares/http/circuitbreaker/\n- In-Flight Requests: https://doc.traefik.io/traefik/middlewares/http/inflightreq/\n\nIn such cases, if the log level is set to DEBUG, the credentials provided using the Authorization header are displayed in the debug logs:\n\n```\nlevel=debug msg=\"vulcand/oxy/roundrobin/rr: completed ServeHttp on request\" Request=\"{\\\\\"Method\\\\\":\\\\\"POST\\\\\",\\\\\"URL\\\\\":{\\\\\"Scheme\\\\\":\\\\\"\\\\\",\\\\\"Opaque\\\\\":\\\\\"\\\\\",\\\\\"User\\\\\":null,\\\\\"Host\\\\\":\\\\\"\\\\\",\\\\\"Path\\\\\":\\\\\"/\u003credacted\u003e/\u003credacted\u003e\\\\\",\\\\\"RawPath\\\\\":\\\\\"\\\\\",\\\\\"ForceQuery\\\\\":false,\\\\\"RawQuery\\\\\":\\\\\"\\\\\",\\\\\"Fragment\\\\\":\\\\\"\\\\\",\\\\\"RawFragment\\\\\":\\\\\"\\\\\"},\\\\\"Proto\\\\\":\\\\\"HTTP/2.0\\\\\",\\\\\"ProtoMajor\\\\\":2,\\\\\"ProtoMinor\\\\\":0,\\\\\"Header\\\\\":{\\\\\"Authorization\\\\\":[\\\\\"Bearer \u003ctoken value was here\u003e\\\\\"],\\\\\"Content-Type\\\\\":[\\\\\"application/grpc\\\\\"],\\\\\"Grpc-Accept-Encoding\\\\\":[\\\\\"gzip\\\\\"],\\\\\"Grpc-Timeout\\\\\":[\\\\\"29999886u\\\\\"],\\\\\"Te\\\\\":[\\\\\"trailers\\\\\"],\\\\\"User-Agent\\\\\":[\\\\\"\u003credacted\u003e\\\\\"],\u003cremainder of log message removed\u003e\n```\n\n### Patches\n\nhttps://github.com/traefik/traefik/pull/9574\nhttps://github.com/traefik/traefik/releases/tag/v2.9.6\n\n### Workarounds\n\nSet the log level to `INFO`, `WARN`, or `ERROR`.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).",
"id": "GHSA-h2ph-vhm7-g4hp",
"modified": "2022-12-09T15:20:21Z",
"published": "2022-12-08T16:11:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23469"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/pull/9574"
},
{
"type": "PACKAGE",
"url": "https://github.com/traefik/traefik"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v2.9.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Traefik may display authorization header in the debug logs"
}
GHSA-H3M3-6J4G-Q8VG
Vulnerability from github – Published: 2022-07-13 00:01 – Updated: 2022-07-17 00:00Exposure of Sensitive Information in telephony-common.jar prior to SMR Jul-2022 Release 1 allows local attackers to access IMSI via log.
{
"affected": [],
"aliases": [
"CVE-2022-33687"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-12T14:15:00Z",
"severity": "LOW"
},
"details": "Exposure of Sensitive Information in telephony-common.jar prior to SMR Jul-2022 Release 1 allows local attackers to access IMSI via log.",
"id": "GHSA-h3m3-6j4g-q8vg",
"modified": "2022-07-17T00:00:45Z",
"published": "2022-07-13T00:01:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33687"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022\u0026month=7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H3Q2-8WHX-C29H
Vulnerability from github – Published: 2024-01-30 20:57 – Updated: 2024-03-04 18:45Summary
Hello 👋
goreleaser release --debug log shows secret values used in the in the custom publisher.
How to reproduce the issue:
- Define a custom publisher as the one below. Make sure to provide a custom script to the
cmdfield and to provide a secret toenv
#.goreleaser.yml
publishers:
- name: my-publisher
# IDs of the artifacts we want to sign
ids:
- linux_archives
- linux_package
cmd: "./build/package/linux_notarize.sh"
env:
- VERSION={{ .Version }}
- SECRET_1={{.Env.SECRET_1}}
- SECRET_2={{.Env.SECRET_2}}
- run
goreleaser release --debug
You should see your secret value in the gorelease log. The log shows also the GITHUB_TOKEN
Example:
running cmd= ....
SECRET_1=secret_value
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/goreleaser/goreleaser"
},
"ranges": [
{
"events": [
{
"introduced": "1.23.0"
},
{
"fixed": "1.24.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.23.0"
]
}
],
"aliases": [
"CVE-2024-23840"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-30T20:57:52Z",
"nvd_published_at": "2024-01-30T17:15:11Z",
"severity": "MODERATE"
},
"details": "### Summary\nHello \ud83d\udc4b \n\n`goreleaser release --debug` log shows secret values used in the in the custom publisher.\n\n\nHow to reproduce the issue:\n\n- Define a custom publisher as the one below. Make sure to provide a custom script to the `cmd` field and to provide a secret to `env` \n\n```\n#.goreleaser.yml \npublishers:\n - name: my-publisher\n # IDs of the artifacts we want to sign\n ids:\n - linux_archives\n - linux_package\n cmd: \"./build/package/linux_notarize.sh\"\n env:\n - VERSION={{ .Version }}\n - SECRET_1={{.Env.SECRET_1}}\n - SECRET_2={{.Env.SECRET_2}}\n```\n\n- run `goreleaser release --debug`\n\nYou should see your secret value in the gorelease log. The log shows also the `GITHUB_TOKEN`\n\nExample:\n\n```\nrunning cmd= ....\nSECRET_1=secret_value\n```\n",
"id": "GHSA-h3q2-8whx-c29h",
"modified": "2024-03-04T18:45:24Z",
"published": "2024-01-30T20:57:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/goreleaser/goreleaser/security/advisories/GHSA-h3q2-8whx-c29h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23840"
},
{
"type": "WEB",
"url": "https://github.com/goreleaser/goreleaser/commit/d5b6a533ca1dc3366983d5d31ee2d2b6232b83c0"
},
{
"type": "PACKAGE",
"url": "https://github.com/goreleaser/goreleaser"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "`goreleaser release --debug` shows secrets"
}
GHSA-H3X8-JX27-7VW4
Vulnerability from github – Published: 2024-01-23 03:31 – Updated: 2026-04-02 21:31This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sonoma 14.3, watchOS 10.3, tvOS 17.3, iOS 17.3 and iPadOS 17.3. An app may be able to view a user's phone number in system logs.
{
"affected": [],
"aliases": [
"CVE-2024-23210"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-23T01:15:11Z",
"severity": "LOW"
},
"details": "This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sonoma 14.3, watchOS 10.3, tvOS 17.3, iOS 17.3 and iPadOS 17.3. An app may be able to view a user\u0027s phone number in system logs.",
"id": "GHSA-h3x8-jx27-7vw4",
"modified": "2026-04-02T21:31:34Z",
"published": "2024-01-23T03:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23210"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120304"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120306"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120309"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120311"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214055"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214059"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214060"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214061"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214055"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214061"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jan/33"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jan/36"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jan/39"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jan/40"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.