Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1744 vulnerabilities reference this CWE, most recent first.

GHSA-HFRG-MCVW-8MCH

Vulnerability from github – Published: 2026-04-16 20:42 – Updated: 2026-04-24 20:36
VLAI
Summary
Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService
Details

Summary

The InboxHandlingService logs the full content of every incoming inbox message at INFO level (logger.info("Received message: {}", message)). Inbox messages are wrappers around outbox message data, which can contain highly sensitive information such as personal data (PII), citizen identifiers (BSN), and case details.

Impact

This data is exposed to: - Anyone with access to application logs (stdout/log files) - Any Valtimo user with the admin role, through the logging module in the Admin UI

Affected Code

com.ritense.inbox.InboxHandlingService#handle in the inbox module.

Resolution

Fixed in 13.22.0 via commit f16a1940ba (PR #497, tracking issue gzac-issues#653). The log statement was downgraded from INFO to DEBUG and the message payload was removed from the log output.

Mitigation

For versions before 13.22.0, consider: - Restricting access to application logs - Adjusting the log level for com.ritense.inbox to WARN or higher in your application configuration

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.ritense.valtimo:inbox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0.RELEASE"
            },
            {
              "fixed": "13.22.0.RELEASE"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34164"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T20:42:55Z",
    "nvd_published_at": "2026-04-16T22:16:37Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe `InboxHandlingService` logs the full content of every incoming inbox message at INFO level (`logger.info(\"Received message: {}\", message)`). Inbox messages are wrappers around outbox message data, which can contain highly sensitive information such as personal data (PII), citizen identifiers (BSN), and case details.\n\n### Impact\n\nThis data is exposed to:\n- Anyone with access to application logs (stdout/log files)\n- Any Valtimo user with the admin role, through the logging module in the Admin UI\n\n### Affected Code\n\n`com.ritense.inbox.InboxHandlingService#handle` in the `inbox` module.\n\n### Resolution\n\nFixed in [13.22.0](https://github.com/valtimo-platform/valtimo/releases/tag/13.22.0) via commit [`f16a1940ba`](https://github.com/valtimo-platform/valtimo/commit/f16a1940ba7b34627c0b966f98ca78655ace9335) (PR [#497](https://github.com/valtimo-platform/valtimo/pull/497), tracking issue [gzac-issues#653](https://github.com/generiekzaakafhandelcomponent/gzac-issues/issues/653)). The log statement was downgraded from INFO to DEBUG and the message payload was removed from the log output.\n\n### Mitigation\n\nFor versions before 13.22.0, consider:\n- Restricting access to application logs\n- Adjusting the log level for `com.ritense.inbox` to WARN or higher in your application configuration",
  "id": "GHSA-hfrg-mcvw-8mch",
  "modified": "2026-04-24T20:36:49Z",
  "published": "2026-04-16T20:42:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/valtimo-platform/valtimo/security/advisories/GHSA-hfrg-mcvw-8mch"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34164"
    },
    {
      "type": "WEB",
      "url": "https://github.com/generiekzaakafhandelcomponent/gzac-issues/issues/653"
    },
    {
      "type": "WEB",
      "url": "https://github.com/valtimo-platform/valtimo/pull/497"
    },
    {
      "type": "WEB",
      "url": "https://github.com/valtimo-platform/valtimo/commit/f16a1940ba7b34627c0b966f98ca78655ace9335"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/valtimo-platform/valtimo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/valtimo-platform/valtimo/releases/tag/13.22.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService"
}

GHSA-HG9M-423C-V2W6

Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31
VLAI
Details

API Connect V2018.1 through 2018.4.1.1 is impacted by access token leak. Authorization tokens in some URLs can result in the tokens being written to log files. IBM X-Force ID: 155626.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-4008"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-07T15:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "API Connect V2018.1 through 2018.4.1.1 is impacted by access token leak. Authorization tokens in some URLs can result in the tokens being written to log files. IBM X-Force ID: 155626.",
  "id": "GHSA-hg9m-423c-v2w6",
  "modified": "2022-05-13T01:31:14Z",
  "published": "2022-05-13T01:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4008"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/155626"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10869772"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106961"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HGG8-FQQC-VFMW

Vulnerability from github – Published: 2026-06-17 14:04 – Updated: 2026-06-17 14:05
VLAI
Summary
vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router
Details

vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via the Anthropic API router

Researcher: Kai Aizen — SnailSploit (@SnailSploit), Adversarial & Offensive Security Research Severity: CVSS 3.1 5.3 (Medium) AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Target: https://github.com/vllm-project/vllm


Summary

The fix for CVE-2026-22778 / GHSA-4r2x-xpjr-7cvv (PRs #31987 and #32319) introduced sanitize_message and applied it at four FastAPI exception-handling sites in the OpenAI router. The sanitizer strips object-repr memory addresses (<_io.BytesIO object at 0x7a95e299e750><_io.BytesIO object>) before error messages reach the client, defeating the ASLR-bypass primitive that CVE-2026-22778 chained with a libopenjp2 heap overflow for RCE.

The fix is incomplete: response paths added to vLLM at or after the same time as the fix continue to echo str(exc) directly to clients without sanitize_message. The original Stage 1 primitive — sending malformed image bytes so PIL raises UnidentifiedImageError whose message contains the BytesIO object repr — reaches all of them unmodified and leaks the heap address verbatim in the response body.

All five lines below are present in main HEAD (771e1e48b, 2026-05-26).

Affected sites

Current main HEAD (771e1e48b, 2026-05-26):

# File Line Code
1 vllm/entrypoints/anthropic/api_router.py 78 message=str(e), (inside POST /v1/messages exception handler)
2 vllm/entrypoints/anthropic/api_router.py 124 message=str(e), (inside POST /v1/messages/count_tokens)
3 vllm/entrypoints/anthropic/serving.py 808 error=AnthropicError(type="internal_error", message=str(e)), (SSE streaming converter)
4 vllm/entrypoints/speech_to_text/realtime/connection.py 75 await self.send_error(str(e), "processing_error") (WebSocket event loop)
5 vllm/entrypoints/speech_to_text/realtime/connection.py 265 await self.send_error(str(e), "processing_error") (WebSocket generation loop)

Why the global exception handler does not save these paths

api_server.py registers a catch-all app.exception_handler(Exception)(exception_handler) at line 262, and that handler calls create_error_response(exc) which DOES apply sanitize_message. However, FastAPI exception handlers fire only on unhandled exceptions that propagate out of a route function.

All affected HTTP paths catch Exception inside the route coroutine and construct the response themselves:

# vllm/entrypoints/anthropic/api_router.py:71-81 (POST /v1/messages)
try:
    generator = await handler.create_messages(request, raw_request)
except Exception as e:
    logger.exception("Error in create_messages: %s", e)
    return JSONResponse(
        status_code=HTTPStatus.INTERNAL_SERVER_ERROR.value,
        content=AnthropicErrorResponse(
            error=AnthropicError(
                type="internal_error",
                message=str(e),       # <-- unsanitized
            )
        ).model_dump(),
    )

Because the exception is caught and a JSONResponse is returned in-route, every registered FastAPI exception handler — including the sanitizing global one — is bypassed. The WebSocket path bypasses it for a different reason: WebSocket frames don't traverse FastAPI's HTTP exception handler chain at all.

Reachability — the same primitive as the parent CVE

The Anthropic Messages API accepts image content parts in the request body (type: "image" with base64 source.data or type: "image_url"). Image bytes are passed to the same multimodal loader used by the OpenAI router. Malformed bytes cause PIL.Image.open to raise:

UnidentifiedImageError: cannot identify image file <_io.BytesIO object at 0x7a95e299e750>

The exception propagates up through handler.create_messages into the except Exception as e: at api_router.py:75. str(e) returns the exception message verbatim, including the address. The address ends up in the error.message field of the JSON response body returned to the attacker. ASLR entropy on the affected process drops from ~4 billion to ~8 candidates, identically to CVE-2026-22778 Stage 1.

The same primitive is reachable on POST /v1/messages/count_tokens (route #2), inside the SSE streaming converter when an exception is raised mid-stream (route #3), and over the realtime speech-to-text WebSocket when audio decoder or generation paths raise an exception containing any object repr (routes #4, #5).

Chronology — these are scope misses, not legacy code

  • 2026-01-09: PR #31987 (aa125ecf0) introduces sanitize_message and applies it to OpenAI router HTTP exception handlers.
  • 2026-01-15 (six days later): PR #32369 (4c1c501a7) adds vllm/entrypoints/anthropic/api_router.py containing line 78's message=str(e). The fix was not applied to the new router.
  • 2026-03-02 (~two months later): PR #35588 (9a87b0578) adds the Anthropic count_tokens endpoint, replicating the same message=str(e) pattern at line 124.
  • 2026-05-12 (~four months later): PR #42370 (d37e25ffb) consolidates speech-to-text entrypoints and the realtime WebSocket uses send_error(str(e), ...) for both error paths.
  • 2026-05-26: current main HEAD, all five lines still present.

Remediation

1. Apply sanitize_message symmetrically to the five sites

# vllm/entrypoints/anthropic/api_router.py — add at top:
from vllm.entrypoints.utils import sanitize_message

# Line 78 (POST /v1/messages) and Line 124 (count_tokens):
message=sanitize_message(str(e)),
# vllm/entrypoints/anthropic/serving.py — add at top:
from vllm.entrypoints.utils import sanitize_message

# Line 808:
error=AnthropicError(type="internal_error", message=sanitize_message(str(e))),
# vllm/entrypoints/speech_to_text/realtime/connection.py — add at top:
from vllm.entrypoints.utils import sanitize_message

# Lines 75 and 265:
await self.send_error(sanitize_message(str(e)), "processing_error")

2. Tighten the regex (defense in depth)

The current regex r" at 0x[0-9a-f]+>" is narrow — it only matches the exact CPython builtin object-repr suffix in lowercase hex with a trailing >. Future Python versions, C extensions, or custom __repr__ methods could produce non-matching formats that re-enable the leak:

# vllm/entrypoints/utils.py
def sanitize_message(message: str) -> str:
    # Strip any standalone hex address; downstream observers don't need them.
    return re.sub(r"\b0x[0-9a-fA-F]{6,}\b", "0x?", message)

3. Future-proofing: consider a response middleware

Both the route-local exception handling pattern (Anthropic router) and the WebSocket path bypass FastAPI's exception handler chain. A response-level middleware that always invokes sanitize_message on outgoing error bodies would prevent this class of regression entirely.

Affected versions

  • All vLLM versions containing vllm/entrypoints/anthropic/api_router.py (introduced 2026-01-15 in PR #32369).
  • All vLLM versions containing vllm/entrypoints/speech_to_text/realtime/connection.py (introduced 2026-05-12 in PR #42370).
  • Confirmed present in main HEAD 771e1e48b (2026-05-26).

Steps to reproduce

  1. Clone the target: git clone --depth 1 https://github.com/vllm-project/vllm
  2. Run the proof of concept (PoC.py) against the cloned source.
  3. Observe the result shown under Verified result below.

Credit

Kai Aizen — SnailSploit (@SnailSploit). Adversarial & Offensive Security Research.

Fix

A fix for this vulnerability was added here: https://github.com/vllm-project/vllm/pull/45119

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vllm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.23.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54236"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-17T14:04:09Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "# vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via the Anthropic API router\n\n**Researcher:** Kai Aizen \u2014 SnailSploit (@SnailSploit), Adversarial \u0026 Offensive Security Research\n**Severity:** CVSS 3.1 5.3 (Medium)  `AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`\n**Target:** https://github.com/vllm-project/vllm\n\n---\n\n## Summary\n\nThe fix for CVE-2026-22778 / GHSA-4r2x-xpjr-7cvv (PRs #31987 and #32319) introduced `sanitize_message` and applied it at four FastAPI exception-handling sites in the OpenAI router. The sanitizer strips object-repr memory addresses (`\u003c_io.BytesIO object at 0x7a95e299e750\u003e` \u2192 `\u003c_io.BytesIO object\u003e`) before error messages reach the client, defeating the ASLR-bypass primitive that CVE-2026-22778 chained with a libopenjp2 heap overflow for RCE.\n\nThe fix is incomplete: response paths added to vLLM at or after the same time as the fix continue to echo `str(exc)` directly to clients without `sanitize_message`. The original Stage 1 primitive \u2014 sending malformed image bytes so PIL raises `UnidentifiedImageError` whose message contains the BytesIO object repr \u2014 reaches all of them unmodified and leaks the heap address verbatim in the response body.\n\nAll five lines below are present in `main` HEAD (`771e1e48b`, 2026-05-26).\n\n## Affected sites\n\nCurrent `main` HEAD (`771e1e48b`, 2026-05-26):\n\n| # | File | Line | Code |\n|---|---|---|---|\n| 1 | `vllm/entrypoints/anthropic/api_router.py` | 78 | `message=str(e),` (inside `POST /v1/messages` exception handler) |\n| 2 | `vllm/entrypoints/anthropic/api_router.py` | 124 | `message=str(e),` (inside `POST /v1/messages/count_tokens`) |\n| 3 | `vllm/entrypoints/anthropic/serving.py` | 808 | `error=AnthropicError(type=\"internal_error\", message=str(e)),` (SSE streaming converter) |\n| 4 | `vllm/entrypoints/speech_to_text/realtime/connection.py` | 75 | `await self.send_error(str(e), \"processing_error\")` (WebSocket event loop) |\n| 5 | `vllm/entrypoints/speech_to_text/realtime/connection.py` | 265 | `await self.send_error(str(e), \"processing_error\")` (WebSocket generation loop) |\n\n## Why the global exception handler does not save these paths\n\n`api_server.py` registers a catch-all `app.exception_handler(Exception)(exception_handler)` at line 262, and that handler calls `create_error_response(exc)` which DOES apply `sanitize_message`. However, FastAPI exception handlers fire only on **unhandled** exceptions that propagate out of a route function.\n\nAll affected HTTP paths catch `Exception` *inside* the route coroutine and construct the response themselves:\n\n```python\n# vllm/entrypoints/anthropic/api_router.py:71-81 (POST /v1/messages)\ntry:\n    generator = await handler.create_messages(request, raw_request)\nexcept Exception as e:\n    logger.exception(\"Error in create_messages: %s\", e)\n    return JSONResponse(\n        status_code=HTTPStatus.INTERNAL_SERVER_ERROR.value,\n        content=AnthropicErrorResponse(\n            error=AnthropicError(\n                type=\"internal_error\",\n                message=str(e),       # \u003c-- unsanitized\n            )\n        ).model_dump(),\n    )\n```\n\nBecause the exception is caught and a `JSONResponse` is returned in-route, every registered FastAPI exception handler \u2014 including the sanitizing global one \u2014 is bypassed. The WebSocket path bypasses it for a different reason: WebSocket frames don\u0027t traverse FastAPI\u0027s HTTP exception handler chain at all.\n\n## Reachability \u2014 the same primitive as the parent CVE\n\nThe Anthropic Messages API accepts image content parts in the request body (`type: \"image\"` with base64 `source.data` or `type: \"image_url\"`). Image bytes are passed to the same multimodal loader used by the OpenAI router. Malformed bytes cause `PIL.Image.open` to raise:\n\n```\nUnidentifiedImageError: cannot identify image file \u003c_io.BytesIO object at 0x7a95e299e750\u003e\n```\n\nThe exception propagates up through `handler.create_messages` into the `except Exception as e:` at `api_router.py:75`. `str(e)` returns the exception message verbatim, including the address. The address ends up in the `error.message` field of the JSON response body returned to the attacker. ASLR entropy on the affected process drops from ~4 billion to ~8 candidates, identically to CVE-2026-22778 Stage 1.\n\nThe same primitive is reachable on `POST /v1/messages/count_tokens` (route #2), inside the SSE streaming converter when an exception is raised mid-stream (route #3), and over the realtime speech-to-text WebSocket when audio decoder or generation paths raise an exception containing any object repr (routes #4, #5).\n\n## Chronology \u2014 these are scope misses, not legacy code\n\n- **2026-01-09:** PR #31987 (`aa125ecf0`) introduces `sanitize_message` and applies it to OpenAI router HTTP exception handlers.\n- **2026-01-15** (six days later): PR #32369 (`4c1c501a7`) adds `vllm/entrypoints/anthropic/api_router.py` containing line 78\u0027s `message=str(e)`. The fix was not applied to the new router.\n- **2026-03-02** (~two months later): PR #35588 (`9a87b0578`) adds the Anthropic `count_tokens` endpoint, replicating the same `message=str(e)` pattern at line 124.\n- **2026-05-12** (~four months later): PR #42370 (`d37e25ffb`) consolidates speech-to-text entrypoints and the realtime WebSocket uses `send_error(str(e), ...)` for both error paths.\n- **2026-05-26:** current `main` HEAD, all five lines still present.\n\n\n## Remediation\n\n### 1. Apply `sanitize_message` symmetrically to the five sites\n\n```python\n# vllm/entrypoints/anthropic/api_router.py \u2014 add at top:\nfrom vllm.entrypoints.utils import sanitize_message\n\n# Line 78 (POST /v1/messages) and Line 124 (count_tokens):\nmessage=sanitize_message(str(e)),\n```\n\n```python\n# vllm/entrypoints/anthropic/serving.py \u2014 add at top:\nfrom vllm.entrypoints.utils import sanitize_message\n\n# Line 808:\nerror=AnthropicError(type=\"internal_error\", message=sanitize_message(str(e))),\n```\n\n```python\n# vllm/entrypoints/speech_to_text/realtime/connection.py \u2014 add at top:\nfrom vllm.entrypoints.utils import sanitize_message\n\n# Lines 75 and 265:\nawait self.send_error(sanitize_message(str(e)), \"processing_error\")\n```\n\n### 2. Tighten the regex (defense in depth)\n\nThe current regex `r\" at 0x[0-9a-f]+\u003e\"` is narrow \u2014 it only matches the exact CPython builtin object-repr suffix in lowercase hex with a trailing `\u003e`. Future Python versions, C extensions, or custom `__repr__` methods could produce non-matching formats that re-enable the leak:\n\n```python\n# vllm/entrypoints/utils.py\ndef sanitize_message(message: str) -\u003e str:\n    # Strip any standalone hex address; downstream observers don\u0027t need them.\n    return re.sub(r\"\\b0x[0-9a-fA-F]{6,}\\b\", \"0x?\", message)\n```\n\n### 3. Future-proofing: consider a response middleware\n\nBoth the route-local exception handling pattern (Anthropic router) and the WebSocket path bypass FastAPI\u0027s exception handler chain. A response-level middleware that always invokes `sanitize_message` on outgoing error bodies would prevent this class of regression entirely.\n\n## Affected versions\n\n- All vLLM versions containing `vllm/entrypoints/anthropic/api_router.py` (introduced 2026-01-15 in PR #32369).\n- All vLLM versions containing `vllm/entrypoints/speech_to_text/realtime/connection.py` (introduced 2026-05-12 in PR #42370).\n- Confirmed present in `main` HEAD `771e1e48b` (2026-05-26).\n\n\n## Steps to reproduce\n\n1. Clone the target: `git clone --depth 1 https://github.com/vllm-project/vllm`\n2. Run the proof of concept (`PoC.py`) against the cloned source.\n3. Observe the result shown under *Verified result* below.\n\n## Credit\n\nKai Aizen \u2014 SnailSploit (@SnailSploit). Adversarial \u0026 Offensive Security Research.\n\n## Fix\n\nA fix for this vulnerability was added here: https://github.com/vllm-project/vllm/pull/45119",
  "id": "GHSA-hgg8-fqqc-vfmw",
  "modified": "2026-06-17T14:05:32Z",
  "published": "2026-06-17T14:04:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hgg8-fqqc-vfmw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/pull/45119"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/commit/94923629729381d7f7c9efde72071a2441f7fd82"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vllm-project/vllm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router"
}

GHSA-HH3R-H56V-MWCG

Vulnerability from github – Published: 2022-07-07 00:00 – Updated: 2022-07-15 00:00
VLAI
Details

A vulnerability in the logging component of Cisco TelePresence Collaboration Endpoint (CE) and RoomOS Software could allow an authenticated, remote attacker to view sensitive information in clear text on an affected system. This vulnerability is due to the storage of certain unencrypted credentials. An attacker could exploit this vulnerability by accessing the audit logs on an affected system and obtaining credentials that they may not normally have access to. A successful exploit could allow the attacker to use those credentials to access confidential information, some of which may contain personally identifiable information (PII). Note: To access the logs that are stored in the RoomOS Cloud, an attacker would need valid Administrator-level credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20768"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-06T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the logging component of Cisco TelePresence Collaboration Endpoint (CE) and RoomOS Software could allow an authenticated, remote attacker to view sensitive information in clear text on an affected system. This vulnerability is due to the storage of certain unencrypted credentials. An attacker could exploit this vulnerability by accessing the audit logs on an affected system and obtaining credentials that they may not normally have access to. A successful exploit could allow the attacker to use those credentials to access confidential information, some of which may contain personally identifiable information (PII). Note: To access the logs that are stored in the RoomOS Cloud, an attacker would need valid Administrator-level credentials.",
  "id": "GHSA-hh3r-h56v-mwcg",
  "modified": "2022-07-15T00:00:19Z",
  "published": "2022-07-07T00:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20768"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-roomos-infodisc-YOTz9Ct7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HHMH-4792-PF49

Vulnerability from github – Published: 2025-03-27 12:30 – Updated: 2025-03-27 12:30
VLAI
Details

In JetBrains TeamCity before 2025.03 base64 encoded password could be exposed in build log

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31139"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-27T12:15:14Z",
    "severity": "MODERATE"
  },
  "details": "In JetBrains TeamCity before 2025.03 base64 encoded password could be exposed in build log",
  "id": "GHSA-hhmh-4792-pf49",
  "modified": "2025-03-27T12:30:43Z",
  "published": "2025-03-27T12:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31139"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HHP2-JG36-4H6Q

Vulnerability from github – Published: 2025-04-03 18:30 – Updated: 2025-04-03 18:30
VLAI
Details

In JetBrains IntelliJ IDEA before 2024.3, 2024.2.4 source code could be logged in the idea.log file

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32054"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-03T17:15:30Z",
    "severity": "LOW"
  },
  "details": "In JetBrains IntelliJ IDEA before 2024.3, 2024.2.4 source code could be logged in the idea.log file",
  "id": "GHSA-hhp2-jg36-4h6q",
  "modified": "2025-04-03T18:30:59Z",
  "published": "2025-04-03T18:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32054"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HJ2F-VPX3-M87H

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:28
VLAI
Details

In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-17395"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-15T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.",
  "id": "GHSA-hj2f-vpx3-m87h",
  "modified": "2024-04-04T02:28:59Z",
  "published": "2022-05-24T16:58:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17395"
    },
    {
      "type": "WEB",
      "url": "https://pastebin.com/8dvs5RcJ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HJ49-GV4M-X7JM

Vulnerability from github – Published: 2025-05-13 00:31 – Updated: 2025-11-03 21:33
VLAI
Details

A logging issue was addressed with improved data redaction. This issue is fixed in iPadOS 17.7.7, macOS Ventura 13.7.6, macOS Sequoia 15.5, macOS Sonoma 14.7.6. An app may be able to access associated usernames and websites in a user's iCloud Keychain.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31213"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-12T22:15:22Z",
    "severity": "HIGH"
  },
  "details": "A logging issue was addressed with improved data redaction. This issue is fixed in iPadOS 17.7.7, macOS Ventura 13.7.6, macOS Sequoia 15.5, macOS Sonoma 14.7.6. An app may be able to access associated usernames and websites in a user\u0027s iCloud Keychain.",
  "id": "GHSA-hj49-gv4m-x7jm",
  "modified": "2025-11-03T21:33:50Z",
  "published": "2025-05-13T00:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31213"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122405"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122716"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122717"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122718"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/May/6"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/May/7"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/May/8"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/May/9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HJ4R-2C9C-29H3

Vulnerability from github – Published: 2023-12-12 21:31 – Updated: 2024-06-25 14:06
VLAI
Summary
Elastic Beats inserts sensitive information into log file
Details

An issue was discovered by Elastic whereby Beats and Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code except 409 or 429. Depending on the nature of the event that Beats or Elastic Agent attempted to ingest, this could lead to the insertion of sensitive or private information in the Beats or Elastic Agent logs. Elastic has released 8.11.3 and 7.17.16 that prevents this issue by limiting these types of logs to DEBUG level logging, which is disabled by default.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/elastic/beats/v7"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.17.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/elastic/beats"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.11.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/elastic/beats"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.17.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-49922"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-19T21:11:31Z",
    "nvd_published_at": "2023-12-12T19:15:08Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered by Elastic whereby Beats and Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code except 409 or 429. Depending on the nature of the event that Beats or Elastic Agent attempted to ingest, this could lead to the insertion of sensitive or private information in the Beats or Elastic Agent logs. Elastic has released 8.11.3 and 7.17.16 that prevents this issue by limiting these types of logs to DEBUG level logging, which is disabled by default.",
  "id": "GHSA-hj4r-2c9c-29h3",
  "modified": "2024-06-25T14:06:38Z",
  "published": "2023-12-12T21:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49922"
    },
    {
      "type": "WEB",
      "url": "https://github.com/elastic/beats/commit/9bd7de84ab9c31bb4e1c0a348a7b7c26817a0996"
    },
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/beats-and-elastic-agent-8-11-3-7-17-16-security-update-esa-2023-30/349180"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/elastic/beats"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Elastic Beats inserts sensitive information into log file"
}

GHSA-HJ4V-MRQP-X329

Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19
VLAI
Details

Cloud Foundry NFS volume release, 1.2.x prior to 1.2.5, 1.5.x prior to 1.5.4, 1.7.x prior to 1.7.3, logs the cf admin username and password when running the nfsbrokerpush BOSH deploy errand. A remote authenticated user with access to BOSH can obtain the admin credentials for the Cloud Foundry Platform through the logs of the NFS volume deploy errand.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15797"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-05T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "Cloud Foundry NFS volume release, 1.2.x prior to 1.2.5, 1.5.x prior to 1.5.4, 1.7.x prior to 1.7.3, logs the cf admin username and password when running the nfsbrokerpush BOSH deploy errand. A remote authenticated user with access to BOSH can obtain the admin credentials for the Cloud Foundry Platform through the logs of the NFS volume deploy errand.",
  "id": "GHSA-hj4v-mrqp-x329",
  "modified": "2022-05-13T01:19:12Z",
  "published": "2022-05-13T01:19:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15797"
    },
    {
      "type": "WEB",
      "url": "https://www.cloudfoundry.org/blog/cve-2018-15797"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.