Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1744 vulnerabilities reference this CWE, most recent first.

GHSA-H498-88JQ-WH8M

Vulnerability from github – Published: 2024-09-17 00:31 – Updated: 2025-11-04 18:31
VLAI
Details

A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.7, iOS 17.7 and iPadOS 17.7, iOS 18 and iPadOS 18, macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to access information about a user's contacts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40791"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-17T00:15:48Z",
    "severity": "LOW"
  },
  "details": "A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.7, iOS 17.7 and iPadOS 17.7, iOS 18 and iPadOS 18, macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to access information about a user\u0027s contacts.",
  "id": "GHSA-h498-88jq-wh8m",
  "modified": "2025-11-04T18:31:19Z",
  "published": "2024-09-17T00:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40791"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121234"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121238"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121246"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121247"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121250"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Sep/32"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Sep/33"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Sep/39"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Sep/40"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Sep/41"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H59W-6MM4-73P7

Vulnerability from github – Published: 2024-03-21 03:36 – Updated: 2024-03-21 03:36
VLAI
Details

IBM InfoSphere Information Server 11.7 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 280361.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22352"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-21T02:52:02Z",
    "severity": "MODERATE"
  },
  "details": "IBM InfoSphere Information Server 11.7 stores potentially sensitive information in log files that could be read by a local user.  IBM X-Force ID:  280361.",
  "id": "GHSA-h59w-6mm4-73p7",
  "modified": "2024-03-21T03:36:46Z",
  "published": "2024-03-21T03:36:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22352"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/280361"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7117184"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H5F8-CRRQ-4PW8

Vulnerability from github – Published: 2025-05-28 14:40 – Updated: 2025-05-28 14:40
VLAI
Summary
Contrast workload secrets leak to logs on INFO level
Details

Impact

When the Contrast initializer is configured with a CONTRAST_LOG_LEVEL of info or debug, the workload secret is logged to stderr and written to Kubernetes logs.

Since info is the default setting, this affects all Contrast installations that don't customize their initializers' log level.

The following audiences are intended to have access to workload secrets (see https://docs.edgeless.systems/contrast/1.7/architecture/secrets#workload-secrets):

  • Contrast Coordinator (can derive all workload secrets)
  • Contrast Initializer (obtains only the secret configured in the manifest)
  • Seedshare owner (can derive all workload secrets)
  • Workload owner (can update manifests to obtain secrets)

This vulnerability allows the following parties unintended access to workload secrets issued by a Coordinator:

  • Kubernetes users with get or list permission on pods/logs.
  • Others with read access to the Kubernetes log storage (most notably, the cloud provider).

This vulnerability does not affect scenarios where workload secrets are not used by the application (directly or with secure persistence). Applications designed for workload owner exclusion can't use workload secrets and are thus unaffected.

Patches

N/A

Workarounds

This vulnerability can be mitigated by adding an environment variable CONTRAST_LOG_LEVEL=warn to the initializer after running contrast generate, and then running contrast generate again.

References

N/A

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.8.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/edgelesssys/contrast"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-28T14:40:25Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nWhen the Contrast initializer is configured with a `CONTRAST_LOG_LEVEL` of `info` or `debug`, the workload secret is logged to `stderr` and written to Kubernetes logs. \n\nSince `info` is the default setting, this affects all Contrast installations that don\u0027t customize their initializers\u0027 log level.\n\nThe following audiences are **intended** to have access to workload secrets (see https://docs.edgeless.systems/contrast/1.7/architecture/secrets#workload-secrets):\n\n* Contrast Coordinator (can derive all workload secrets)\n* Contrast Initializer (obtains only the secret configured in the manifest)\n* Seedshare owner (can derive all workload secrets)\n* Workload owner (can update manifests to obtain secrets)\n\nThis vulnerability allows the following parties **unintended access** to workload secrets issued by a Coordinator:\n\n* Kubernetes users with `get` or `list` permission on `pods/logs`.\n* Others with read access to the Kubernetes log storage (most notably, the cloud provider).\n\nThis vulnerability **does not affect** scenarios where workload secrets are not used by the application (directly or with [secure persistence](https://docs.edgeless.systems/contrast/1.7/architecture/secrets#secure-persistence)). Applications designed for workload owner exclusion can\u0027t use workload secrets and are thus unaffected.\n\n### Patches\n\nN/A\n\n### Workarounds\n\nThis vulnerability can be mitigated by adding an environment variable `CONTRAST_LOG_LEVEL=warn` to the initializer after running `contrast generate`, and then running `contrast generate` again.\n\n### References\n\nN/A",
  "id": "GHSA-h5f8-crrq-4pw8",
  "modified": "2025-05-28T14:40:25Z",
  "published": "2025-05-28T14:40:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/edgelesssys/contrast"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Contrast workload secrets leak to logs on INFO level"
}

GHSA-H5WG-58JX-9RR7

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10
VLAI
Details

Dell EMC Data Protection Search, 19.4 and prior, and IDPA, 2.6.1 and prior, contain an Information Exposure in Log File Vulnerability in CIS. A local low privileged attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with the privileges of the compromised account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21601"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-10T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Dell EMC Data Protection Search, 19.4 and prior, and IDPA, 2.6.1 and prior, contain an Information Exposure in Log File Vulnerability in CIS. A local low privileged attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with the privileges of the compromised account.",
  "id": "GHSA-h5wg-58jx-9rr7",
  "modified": "2022-05-24T19:10:32Z",
  "published": "2022-05-24T19:10:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21601"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/000189555"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-H62Q-WXXR-4QQJ

Vulnerability from github – Published: 2022-01-19 00:01 – Updated: 2026-02-23 09:31
VLAI
Details

In M-Files Server product with versions before 21.11.10775.0, enabling logging of Federated authentication to event log wrote sensitive information to log. Mitigating factors are logging is disabled by default.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41808"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-18T17:15:00Z",
    "severity": "LOW"
  },
  "details": "In M-Files Server product with versions before 21.11.10775.0, enabling logging of Federated authentication to event log wrote sensitive information to log. Mitigating factors are logging is disabled by default.",
  "id": "GHSA-h62q-wxxr-4qqj",
  "modified": "2026-02-23T09:31:16Z",
  "published": "2022-01-19T00:01:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41808"
    },
    {
      "type": "WEB",
      "url": "https://empower.m-files.com/security-advisories/CVE-2021-41808"
    },
    {
      "type": "WEB",
      "url": "https://www.m-files.com/about/trust-center/security-vulnerabilities/cve-2021-41808"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H653-95QW-H2MP

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-09-10 21:47
VLAI
Summary
Ansible leaks sensitive information to logs when told not to
Details

A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0a1"
            },
            {
              "fixed": "2.9.0rc4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0a1"
            },
            {
              "fixed": "2.8.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0a1"
            },
            {
              "fixed": "2.7.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0"
            },
            {
              "fixed": "2.6.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-14858"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-22T22:14:26Z",
    "nvd_published_at": "2019-10-14T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as `no_log`, passing an invalid parameter name to the module will cause the task to fail before the `no_log` options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.",
  "id": "GHSA-h653-95qw-h2mp",
  "modified": "2024-09-10T21:47:33Z",
  "published": "2022-05-24T16:58:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14858"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/pull/63405"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/0fd656e9964a91f2e8b1e9bbf78c74661ab9d37b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/3dfb8e81bb5f776a6b00c7a90dd087e85b71f8bb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/87f8d77d70476454f7fe2381bd363a329ce4266c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/f610ed3a4eb87eb557200606279796921fa9b722"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3201"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3202"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3203"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3207"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0756"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14858"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-171.yaml"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Ansible leaks sensitive information to logs when told not to"
}

GHSA-H756-WCV2-R9G9

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36
VLAI
Details

A vulnerability in the AutoVNF tool for the Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to access administrative credentials for Cisco Elastic Services Controller (ESC) and Cisco OpenStack deployments in an affected system. The vulnerability exists because the affected software logs administrative credentials in clear text for Cisco ESC and Cisco OpenStack deployment purposes. An attacker could exploit this vulnerability by accessing the AutoVNF URL for the location where the log files are stored and subsequently accessing the administrative credentials that are stored in clear text in those log files. This vulnerability affects all releases of the Cisco Ultra Services Framework prior to Releases 5.0.3 and 5.1. Cisco Bug IDs: CSCvc76659.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-6709"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-522",
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-06T00:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability in the AutoVNF tool for the Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to access administrative credentials for Cisco Elastic Services Controller (ESC) and Cisco OpenStack deployments in an affected system. The vulnerability exists because the affected software logs administrative credentials in clear text for Cisco ESC and Cisco OpenStack deployment purposes. An attacker could exploit this vulnerability by accessing the AutoVNF URL for the location where the log files are stored and subsequently accessing the administrative credentials that are stored in clear text in those log files. This vulnerability affects all releases of the Cisco Ultra Services Framework prior to Releases 5.0.3 and 5.1. Cisco Bug IDs: CSCvc76659.",
  "id": "GHSA-h756-wcv2-r9g9",
  "modified": "2022-05-13T01:36:31Z",
  "published": "2022-05-13T01:36:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6709"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-usf2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H765-V877-JMQ3

Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-07-31 00:00
VLAI
Details

Impala sessions use a 16 byte secret to verify that the session is not being hijacked by another user. However, these secrets appear in the Impala logs, therefore Impala users with access to the logs can use another authenticated user's sessions with specially constructed requests. This means the attacker is able to execute statements for which they don't have the necessary privileges otherwise. Impala deployments with Apache Sentry or Apache Ranger authorization enabled may be vulnerable to privilege escalation if an authenticated attacker is able to hijack a session or query from another authenticated user with privileges not assigned to the attacker. Impala deployments with audit logging enabled may be vulnerable to incorrect audit logging as a user could undertake actions that were logged under the name of a different authenticated user. Constructing an attack requires a high degree of technical sophistication and access to the Impala system as an authenticated user. Mitigation: If an Impala deployment uses Apache Sentry, Apache Ranger or audit logging, then users should upgrade to a version of Impala with the fix for IMPALA-10600. The Impala 4.0 release includes this fix. This hides session secrets from the logs to eliminate the risk of any attack using this mechanism. In lieu of an upgrade, restricting access to logs that expose secrets will reduce the risk of an attack. Restricting access to the Impala deployment to trusted users will also reduce the risk of an attack. Log redaction techniques can be used to redact secrets from the logs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-28131"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-22T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "Impala sessions use a 16 byte secret to verify that the session is not being hijacked by another user. However, these secrets appear in the Impala logs, therefore Impala users with access to the logs can use another authenticated user\u0027s sessions with specially constructed requests. This means the attacker is able to execute statements for which they don\u0027t have the necessary privileges otherwise. Impala deployments with Apache Sentry or Apache Ranger authorization enabled may be vulnerable to privilege escalation if an authenticated attacker is able to hijack a session or query from another authenticated user with privileges not assigned to the attacker. Impala deployments with audit logging enabled may be vulnerable to incorrect audit logging as a user could undertake actions that were logged under the name of a different authenticated user. Constructing an attack requires a high degree of technical sophistication and access to the Impala system as an authenticated user. Mitigation: If an Impala deployment uses Apache Sentry, Apache Ranger or audit logging, then users should upgrade to a version of Impala with the fix for IMPALA-10600. The Impala 4.0 release includes this fix. This hides session secrets from the logs to eliminate the risk of any attack using this mechanism. In lieu of an upgrade, restricting access to logs that expose secrets will reduce the risk of an attack. Restricting access to the Impala deployment to trusted users will also reduce the risk of an attack. Log redaction techniques can be used to redact secrets from the logs.",
  "id": "GHSA-h765-v877-jmq3",
  "modified": "2022-07-31T00:00:58Z",
  "published": "2022-05-24T19:09:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28131"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb54f54a91b7abaf1ed772f3a9cec290153c24881b25567b06f1b4a8c%40%3Cuser.impala.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb54f54a91b7abaf1ed772f3a9cec290153c24881b25567b06f1b4a8c@%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb54f54a91b7abaf1ed772f3a9cec290153c24881b25567b06f1b4a8c@%3Cuser.impala.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/07/22/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H78W-G73R-8JRV

Vulnerability from github – Published: 2024-06-26 00:31 – Updated: 2025-12-30 18:30
VLAI
Details

An information disclosure vulnerability in Phloc Webscopes 7.0.0 allows local attackers with access to the log files to view logged HTTP requests that contain user passwords or other sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6060"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-25T22:15:35Z",
    "severity": "CRITICAL"
  },
  "details": "An information disclosure vulnerability in Phloc Webscopes 7.0.0 allows local attackers with access to the log files to view logged HTTP requests that contain user passwords or other sensitive information.",
  "id": "GHSA-h78w-g73r-8jrv",
  "modified": "2025-12-30T18:30:14Z",
  "published": "2024-06-26T00:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6060"
    },
    {
      "type": "WEB",
      "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2024-6060"
    },
    {
      "type": "WEB",
      "url": "https://www.sonatype.com/security-advisories/cve-2024-6060"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Red",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-H8R2-7G59-CC4P

Vulnerability from github – Published: 2023-02-22 18:30 – Updated: 2023-03-03 03:30
VLAI
Details

IBM Spectrum Virtualize 8.3, 8.4, and 8.5 could disclose SNMPv3 server credentials to an authenticated user in log files. IBM X-Force ID: 239540.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-43870"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-22T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Spectrum Virtualize 8.3, 8.4, and 8.5 could disclose SNMPv3 server credentials to an authenticated user in log files. IBM X-Force ID: 239540.",
  "id": "GHSA-h8r2-7g59-cc4p",
  "modified": "2023-03-03T03:30:24Z",
  "published": "2023-02-22T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43870"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/239540"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6858045"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.