Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1744 vulnerabilities reference this CWE, most recent first.

GHSA-GW5C-576J-PF63

Vulnerability from github – Published: 2025-10-16 15:30 – Updated: 2025-10-16 15:30
VLAI
Details

A insertion of sensitive information into log file in Fortinet FortiDLP 12.0.0 through 12.0.5, 11.5.1, 11.4.6, 11.4.5 allows attacker to information disclosure via re-using the enrollment code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46752"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-16T14:15:35Z",
    "severity": "MODERATE"
  },
  "details": "A insertion of sensitive information into log file in Fortinet FortiDLP 12.0.0 through 12.0.5, 11.5.1, 11.4.6, 11.4.5 allows attacker to information disclosure via re-using the enrollment code.",
  "id": "GHSA-gw5c-576j-pf63",
  "modified": "2025-10-16T15:30:42Z",
  "published": "2025-10-16T15:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46752"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-160"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GWPF-62XP-VRG6

Vulnerability from github – Published: 2020-09-11 21:14 – Updated: 2021-09-28 16:53
VLAI
Summary
Information Exposure in cordova-android
Details

Versions of cordova-android prior to 6.0.0 are vulnerable to Information Exposure through log files. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default, a maximum of four 16 KB rotated logs are kept in addition to the current log. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications.

Recommendation

Upgrade to version 6.0.0 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "cordova-android"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-6799"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:42:13Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Versions of `cordova-android` prior to 6.0.0 are vulnerable to Information Exposure through log files. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default, a maximum of four 16 KB rotated logs are kept in addition to the current log. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications.\n\n\n## Recommendation\n\nUpgrade to version 6.0.0 or later.",
  "id": "GHSA-gwpf-62xp-vrg6",
  "modified": "2021-09-28T16:53:04Z",
  "published": "2020-09-11T21:14:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6799"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/cordova-android/commit/4a0a7bc424fae14c9689f4a8a2dc250ae3a47f82"
    },
    {
      "type": "WEB",
      "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6799"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/cordova-android"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/1f3e7b0319d64b455f73616f572acee36fbca31f87f5b2e509c45b69@%3Cdev.cordova.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-CORDOVAANDROID-174935"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/964"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98365"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Information Exposure in cordova-android"
}

GHSA-GXJ4-3CXJ-Q8MP

Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45
VLAI
Details

There is an information leakage vulnerability in some huawei products. Due to the properly storage of specific information in the log file, the attacker can obtain the information when a user logs in to the device. Successful exploit may cause an information leak. Affected product versions include: NIP6300 versions V500R001C00,V500R001C20,V500R001C30;NIP6600 versions V500R001C00,V500R001C20,V500R001C30;Secospace USG6300 versions V500R001C00,V500R001C20,V500R001C30;Secospace USG6500 versions V500R001C00,V500R001C20,V500R001C30;Secospace USG6600 versions V500R001C00,V500R001C20,V500R001C30,V500R001C50,V500R001C60,V500R001C80;USG9500 versions V500R005C00,V500R005C10.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22310"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-22T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "There is an information leakage vulnerability in some huawei products. Due to the properly storage of specific information in the log file, the attacker can obtain the information when a user logs in to the device. Successful exploit may cause an information leak. Affected product versions include: NIP6300 versions V500R001C00,V500R001C20,V500R001C30;NIP6600 versions V500R001C00,V500R001C20,V500R001C30;Secospace USG6300 versions V500R001C00,V500R001C20,V500R001C30;Secospace USG6500 versions V500R001C00,V500R001C20,V500R001C30;Secospace USG6600 versions V500R001C00,V500R001C20,V500R001C30,V500R001C50,V500R001C60,V500R001C80;USG9500 versions V500R005C00,V500R005C10.",
  "id": "GHSA-gxj4-3cxj-q8mp",
  "modified": "2022-05-24T17:45:00Z",
  "published": "2022-05-24T17:45:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22310"
    },
    {
      "type": "WEB",
      "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210203-01-plaintextlog-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-GXV8-GGVR-3R24

Vulnerability from github – Published: 2026-07-15 12:32 – Updated: 2026-07-15 12:32
VLAI
Details

Dell PowerScale OneFS versions 9.5.0.0 through 9.10.1.7, versions 9.11.0.0 through 9.13.0.2 contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-40633"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-15T11:16:25Z",
    "severity": "HIGH"
  },
  "details": "Dell PowerScale OneFS versions 9.5.0.0 through 9.10.1.7, versions 9.11.0.0 through 9.13.0.2 contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure.",
  "id": "GHSA-gxv8-ggvr-3r24",
  "modified": "2026-07-15T12:32:01Z",
  "published": "2026-07-15T12:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40633"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000483600/dsa-2026-261-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H2FP-W5PW-3H9Q

Vulnerability from github – Published: 2023-02-09 21:30 – Updated: 2023-02-21 18:30
VLAI
Details

Exposure of Sensitive Information vulnerability in Fingerprint TA prior to SMR Feb-2023 Release 1 allows attackers to access the memory address information via log.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21435"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-09T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Exposure of Sensitive Information vulnerability in Fingerprint TA prior to SMR Feb-2023 Release 1 allows attackers to access the memory address information via log.",
  "id": "GHSA-h2fp-w5pw-3h9q",
  "modified": "2023-02-21T18:30:24Z",
  "published": "2023-02-09T21:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21435"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2023\u0026month=02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H2GH-JQX7-WCJ7

Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20
VLAI
Details

A vulnerability has been identified in SIMATIC PCS 7 V8.2 and earlier (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions), SIMATIC WinCC V15 and earlier (All versions), SIMATIC WinCC V16 (All versions), SIMATIC WinCC V17 (All versions), SIMATIC WinCC V7.4 and earlier (All versions), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 5). The affected systems store sensitive information in log files. An attacker with access to the log files could publicly expose the information or reuse it to develop further attacks on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40364"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-09T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in SIMATIC PCS 7 V8.2 and earlier (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions), SIMATIC WinCC V15 and earlier (All versions), SIMATIC WinCC V16 (All versions), SIMATIC WinCC V17 (All versions), SIMATIC WinCC V7.4 and earlier (All versions), SIMATIC WinCC V7.5 (All versions \u003c V7.5 SP2 Update 5). The affected systems store sensitive information in log files. An attacker with access to the log files could publicly expose the information or reuse it to develop further attacks on the system.",
  "id": "GHSA-h2gh-jqx7-wcj7",
  "modified": "2022-05-24T19:20:10Z",
  "published": "2022-05-24T19:20:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40364"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-840188.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H2PH-VHM7-G4HP

Vulnerability from github – Published: 2022-12-08 16:11 – Updated: 2022-12-09 15:20
VLAI
Summary
Traefik may display authorization header in the debug logs
Details

Impact

There is a potential vulnerability in Traefik displaying the Authorization header in its debug logs.

Traefik uses oxy to provide the following features:

  • Round Robin: https://doc.traefik.io/traefik/routing/services/#weighted-round-robin-service
  • Buffering: https://doc.traefik.io/traefik/middlewares/http/buffering/
  • Circuit Breaker: https://doc.traefik.io/traefik/middlewares/http/circuitbreaker/
  • In-Flight Requests: https://doc.traefik.io/traefik/middlewares/http/inflightreq/

In such cases, if the log level is set to DEBUG, the credentials provided using the Authorization header are displayed in the debug logs:

level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\\"Method\\":\\"POST\\",\\"URL\\":{\\"Scheme\\":\\"\\",\\"Opaque\\":\\"\\",\\"User\\":null,\\"Host\\":\\"\\",\\"Path\\":\\"/<redacted>/<redacted>\\",\\"RawPath\\":\\"\\",\\"ForceQuery\\":false,\\"RawQuery\\":\\"\\",\\"Fragment\\":\\"\\",\\"RawFragment\\":\\"\\"},\\"Proto\\":\\"HTTP/2.0\\",\\"ProtoMajor\\":2,\\"ProtoMinor\\":0,\\"Header\\":{\\"Authorization\\":[\\"Bearer <token value was here>\\"],\\"Content-Type\\":[\\"application/grpc\\"],\\"Grpc-Accept-Encoding\\":[\\"gzip\\"],\\"Grpc-Timeout\\":[\\"29999886u\\"],\\"Te\\":[\\"trailers\\"],\\"User-Agent\\":[\\"<redacted>\\"],<remainder of log message removed>

Patches

https://github.com/traefik/traefik/pull/9574 https://github.com/traefik/traefik/releases/tag/v2.9.6

Workarounds

Set the log level to INFO, WARN, or ERROR.

For more information

If you have any questions or comments about this advisory, please open an issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23469"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-08T16:11:37Z",
    "nvd_published_at": "2022-12-08T22:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nThere is a potential vulnerability in Traefik displaying the Authorization header in its debug logs.\n\nTraefik uses [oxy](https://github.com/vulcand/oxy) to provide the following features:\n\n- Round Robin: https://doc.traefik.io/traefik/routing/services/#weighted-round-robin-service\n- Buffering: https://doc.traefik.io/traefik/middlewares/http/buffering/\n- Circuit Breaker: https://doc.traefik.io/traefik/middlewares/http/circuitbreaker/\n- In-Flight Requests: https://doc.traefik.io/traefik/middlewares/http/inflightreq/\n\nIn such cases, if the log level is set to DEBUG, the credentials provided using the Authorization header are displayed in the debug logs:\n\n```\nlevel=debug msg=\"vulcand/oxy/roundrobin/rr: completed ServeHttp on request\" Request=\"{\\\\\"Method\\\\\":\\\\\"POST\\\\\",\\\\\"URL\\\\\":{\\\\\"Scheme\\\\\":\\\\\"\\\\\",\\\\\"Opaque\\\\\":\\\\\"\\\\\",\\\\\"User\\\\\":null,\\\\\"Host\\\\\":\\\\\"\\\\\",\\\\\"Path\\\\\":\\\\\"/\u003credacted\u003e/\u003credacted\u003e\\\\\",\\\\\"RawPath\\\\\":\\\\\"\\\\\",\\\\\"ForceQuery\\\\\":false,\\\\\"RawQuery\\\\\":\\\\\"\\\\\",\\\\\"Fragment\\\\\":\\\\\"\\\\\",\\\\\"RawFragment\\\\\":\\\\\"\\\\\"},\\\\\"Proto\\\\\":\\\\\"HTTP/2.0\\\\\",\\\\\"ProtoMajor\\\\\":2,\\\\\"ProtoMinor\\\\\":0,\\\\\"Header\\\\\":{\\\\\"Authorization\\\\\":[\\\\\"Bearer \u003ctoken value was here\u003e\\\\\"],\\\\\"Content-Type\\\\\":[\\\\\"application/grpc\\\\\"],\\\\\"Grpc-Accept-Encoding\\\\\":[\\\\\"gzip\\\\\"],\\\\\"Grpc-Timeout\\\\\":[\\\\\"29999886u\\\\\"],\\\\\"Te\\\\\":[\\\\\"trailers\\\\\"],\\\\\"User-Agent\\\\\":[\\\\\"\u003credacted\u003e\\\\\"],\u003cremainder of log message removed\u003e\n```\n\n### Patches\n\nhttps://github.com/traefik/traefik/pull/9574\nhttps://github.com/traefik/traefik/releases/tag/v2.9.6\n\n### Workarounds\n\nSet the log level to `INFO`, `WARN`, or `ERROR`.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).",
  "id": "GHSA-h2ph-vhm7-g4hp",
  "modified": "2022-12-09T15:20:21Z",
  "published": "2022-12-08T16:11:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23469"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/pull/9574"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.9.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Traefik may display authorization header in the debug logs"
}

GHSA-H3M3-6J4G-Q8VG

Vulnerability from github – Published: 2022-07-13 00:01 – Updated: 2022-07-17 00:00
VLAI
Details

Exposure of Sensitive Information in telephony-common.jar prior to SMR Jul-2022 Release 1 allows local attackers to access IMSI via log.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-33687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-12T14:15:00Z",
    "severity": "LOW"
  },
  "details": "Exposure of Sensitive Information in telephony-common.jar prior to SMR Jul-2022 Release 1 allows local attackers to access IMSI via log.",
  "id": "GHSA-h3m3-6j4g-q8vg",
  "modified": "2022-07-17T00:00:45Z",
  "published": "2022-07-13T00:01:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33687"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022\u0026month=7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H3Q2-8WHX-C29H

Vulnerability from github – Published: 2024-01-30 20:57 – Updated: 2024-03-04 18:45
VLAI
Summary
`goreleaser release --debug` shows secrets
Details

Summary

Hello 👋

goreleaser release --debug log shows secret values used in the in the custom publisher.

How to reproduce the issue:

  • Define a custom publisher as the one below. Make sure to provide a custom script to the cmd field and to provide a secret to env
#.goreleaser.yml 
publishers:
  - name: my-publisher
  # IDs of the artifacts we want to sign
    ids:
      - linux_archives
      - linux_package
    cmd: "./build/package/linux_notarize.sh"
    env:
      - VERSION={{ .Version }}
      - SECRET_1={{.Env.SECRET_1}}
      - SECRET_2={{.Env.SECRET_2}}
  • run goreleaser release --debug

You should see your secret value in the gorelease log. The log shows also the GITHUB_TOKEN

Example:

running                                        cmd= ....
SECRET_1=secret_value
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/goreleaser/goreleaser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.23.0"
            },
            {
              "fixed": "1.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.23.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-23840"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T20:57:52Z",
    "nvd_published_at": "2024-01-30T17:15:11Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nHello \ud83d\udc4b \n\n`goreleaser release --debug` log shows secret values used in the in the custom publisher.\n\n\nHow to reproduce the issue:\n\n- Define a custom publisher as the one below. Make sure to provide a custom script to the `cmd` field and to provide a secret to `env` \n\n```\n#.goreleaser.yml \npublishers:\n  - name: my-publisher\n  # IDs of the artifacts we want to sign\n    ids:\n      - linux_archives\n      - linux_package\n    cmd: \"./build/package/linux_notarize.sh\"\n    env:\n      - VERSION={{ .Version }}\n      - SECRET_1={{.Env.SECRET_1}}\n      - SECRET_2={{.Env.SECRET_2}}\n```\n\n- run `goreleaser release --debug`\n\nYou should see your secret value in the gorelease log. The log shows also the `GITHUB_TOKEN`\n\nExample:\n\n```\nrunning                                        cmd= ....\nSECRET_1=secret_value\n```\n",
  "id": "GHSA-h3q2-8whx-c29h",
  "modified": "2024-03-04T18:45:24Z",
  "published": "2024-01-30T20:57:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/goreleaser/goreleaser/security/advisories/GHSA-h3q2-8whx-c29h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23840"
    },
    {
      "type": "WEB",
      "url": "https://github.com/goreleaser/goreleaser/commit/d5b6a533ca1dc3366983d5d31ee2d2b6232b83c0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/goreleaser/goreleaser"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "`goreleaser release --debug` shows secrets"
}

GHSA-H3X8-JX27-7VW4

Vulnerability from github – Published: 2024-01-23 03:31 – Updated: 2026-04-02 21:31
VLAI
Details

This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sonoma 14.3, watchOS 10.3, tvOS 17.3, iOS 17.3 and iPadOS 17.3. An app may be able to view a user's phone number in system logs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23210"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-23T01:15:11Z",
    "severity": "LOW"
  },
  "details": "This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sonoma 14.3, watchOS 10.3, tvOS 17.3, iOS 17.3 and iPadOS 17.3. An app may be able to view a user\u0027s phone number in system logs.",
  "id": "GHSA-h3x8-jx27-7vw4",
  "modified": "2026-04-02T21:31:34Z",
  "published": "2024-01-23T03:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23210"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120304"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120306"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120309"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120311"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214055"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214059"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214060"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214061"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214055"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214061"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jan/33"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jan/36"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jan/39"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jan/40"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.