CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1744 vulnerabilities reference this CWE, most recent first.
GHSA-PXV2-R799-MJ6C
Vulnerability from github – Published: 2025-06-16 18:32 – Updated: 2025-06-16 18:32A flaw exists in FlashArray whereby the Key Encryption Key (KEK) is logged during key rotation when RDL is configured.
{
"affected": [],
"aliases": [
"CVE-2025-2327"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-16T17:15:28Z",
"severity": "MODERATE"
},
"details": "A flaw exists in FlashArray whereby the Key Encryption Key (KEK) is logged during key rotation when RDL is configured.",
"id": "GHSA-pxv2-r799-mj6c",
"modified": "2025-06-16T18:32:19Z",
"published": "2025-06-16T18:32:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2327"
},
{
"type": "WEB",
"url": "https://support.purestorage.com/category/m_pure_storage_product_security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PXX3-8XW2-8X5X
Vulnerability from github – Published: 2024-04-18 12:30 – Updated: 2026-04-28 21:34Insertion of Sensitive Information into Log File vulnerability in Inisev Backup Migration.This issue affects Backup Migration: from n/a through 1.4.3.
{
"affected": [],
"aliases": [
"CVE-2024-32686"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-18T11:15:38Z",
"severity": "MODERATE"
},
"details": "Insertion of Sensitive Information into Log File vulnerability in Inisev Backup Migration.This issue affects Backup Migration: from n/a through 1.4.3.",
"id": "GHSA-pxx3-8xw2-8x5x",
"modified": "2026-04-28T21:34:51Z",
"published": "2024-04-18T12:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32686"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/backup-backup/wordpress-backup-migration-plugin-1-4-3-sensitive-data-exposure-via-log-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PXXX-P822-7V7M
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30A log information disclosure vulnerability in B&R GateManager 4260 and 9250 versions <9.0.20262 and GateManager 8250 versions <9.2.620236042 allows authenticated users to view log information reserved for other users.
{
"affected": [],
"aliases": [
"CVE-2020-11646"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-15T15:15:00Z",
"severity": "MODERATE"
},
"details": "A log information disclosure vulnerability in B\u0026R GateManager 4260 and 9250 versions \u003c9.0.20262 and GateManager 8250 versions \u003c9.2.620236042 allows authenticated users to view log information reserved for other users.",
"id": "GHSA-pxxx-p822-7v7m",
"modified": "2022-05-24T17:30:43Z",
"published": "2022-05-24T17:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11646"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-273-03"
},
{
"type": "WEB",
"url": "https://www.br-automation.com/downloads_br_productcatalogue/assets/1600003183751-de-original-1.0.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q24M-6H38-5XJ8
Vulnerability from github – Published: 2023-10-19 17:10 – Updated: 2023-10-24 22:48Impact
Since ydb-go-sdk/v3.48.6 if you use a custom credentials object (implementation of interface Credentials) it may leak into logs. This happens because this object could be serialized into an error message using fmt.Errorf("something went wrong (credentials: %q)", credentials) during connection to the YDB server. Printf func use placeholder %q for string representation of argument with quotes. If an argument implements interface fmt.Stringer, it will used through String() func. In other cases used fallback - serialization with reflection.
If such logging occurred, a malicious user with access to logs could read sensitive information (i.e. credentials) information and use it to get access to the database.
Who is impacted: applications with custom credentials object with an explicit token field.
A leak could have occurred if all of these conditions were met simultaneously:
1) The credentials object does not implement the fmt.Stringer interface (does not have a String() method) - potentially these are custom credentials. Official credentials have a String() method.
2) There was an error connecting to YDB during driver creation via ydb.Open(...).
3) Some logging system was configured (ydb-go-sdk does not log such errors by default).
4) The connection error was logged into a system that a malicious user had access to.
Patches
ydb-go-sdk contains this problem in versions from v3.48.6 to v3.53.2. The fix for this problem has been released in version v3.53.3 (PR).
Workarounds
Implement the fmt.Stringer interface in your custom credentials type with explicit stringify of object state.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ydb-platform/ydb-go-sdk/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.48.6"
},
{
"fixed": "3.53.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-45825"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-19T17:10:00Z",
"nvd_published_at": "2023-10-19T19:15:16Z",
"severity": "MODERATE"
},
"details": "### Impact\nSince [ydb-go-sdk/v3.48.6](https://github.com/ydb-platform/ydb-go-sdk/blob/v3.48.6/internal/balancer/balancer.go#L71) if you use a custom credentials object (implementation of interface [Credentials](https://github.com/ydb-platform/ydb-go-sdk/blob/master/credentials/credentials.go#L10)) it may leak into logs. This happens because this object could be serialized into an error message using `fmt.Errorf(\"something went wrong (credentials: %q)\", credentials)` during connection to the YDB server. Printf func use placeholder `%q` for string representation of argument with quotes. If an argument implements interface `fmt.Stringer`, it will used through `String()` func. In other cases used fallback - serialization with reflection.\n\nIf such logging occurred, a malicious user with access to logs could read sensitive information (i.e. credentials) information and use it to get access to the database.\n\nWho is impacted: applications with custom credentials object with an explicit token field.\n\nA leak could have occurred if all of these conditions were met simultaneously:\n1) The credentials object does not implement the `fmt.Stringer` interface (does not have a `String()` method) - potentially these are custom credentials. Official credentials have a `String()` method.\n2) There was an error connecting to YDB during driver creation via `ydb.Open(...)`.\n3) Some logging system was configured (`ydb-go-sdk` does not log such errors by default).\n4) The connection error was logged into a system that a malicious user had access to.\n\n### Patches\n`ydb-go-sdk` contains this problem in versions from v3.48.6 to v3.53.2. The fix for this problem has been released in version v3.53.3 ([PR](https://github.com/ydb-platform/ydb-go-sdk/pull/859)).\n\n### Workarounds\nImplement the `fmt.Stringer` interface in your custom credentials type with explicit stringify of object state.",
"id": "GHSA-q24m-6h38-5xj8",
"modified": "2023-10-24T22:48:40Z",
"published": "2023-10-19T17:10:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ydb-platform/ydb-go-sdk/security/advisories/GHSA-q24m-6h38-5xj8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45825"
},
{
"type": "WEB",
"url": "https://github.com/ydb-platform/ydb-go-sdk/pull/859"
},
{
"type": "WEB",
"url": "https://github.com/ydb-platform/ydb-go-sdk/commit/a0d92057c4e1bbdc5e85ae8d649edb0232b8fd4c"
},
{
"type": "PACKAGE",
"url": "https://github.com/ydb-platform/ydb-go-sdk"
},
{
"type": "WEB",
"url": "https://github.com/ydb-platform/ydb-go-sdk/blob/master/credentials/credentials.go#L10"
},
{
"type": "WEB",
"url": "https://github.com/ydb-platform/ydb-go-sdk/blob/v3.48.6/internal/balancer/balancer.go#L71"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "ydb-go-sdk token in custom credentials object can leak through logs"
}
GHSA-Q298-375F-5Q63
Vulnerability from github – Published: 2025-03-13 18:57 – Updated: 2025-03-13 21:39Issue
Snowflake discovered and remediated a vulnerability in the Snowflake JDBC driver (“Driver”). When the logging level was set to DEBUG, the Driver would log locally the client-side encryption master key of the target stage during the execution of GET/PUT commands. This key by itself does not grant access to any sensitive data without additional access authorizations, and is not logged server-side by Snowflake.
This vulnerability affects Driver versions 3.0.13 through 3.23.0. Snowflake fixed the issue in version 3.23.1.
Vulnerability Details
When the logging level was set to DEBUG, the Driver would locally log the client-side encryption master key of the target stage during the execution of GET/PUT commands. The key was logged in a JSON object under the queryStageMasterKey key. The key by itself does not grant access to any sensitive data.
Solution
Snowflake released version 3.23.1 of the Snowflake JDBC driver, which fixes this issue. We highly recommend users upgrade to version 3.23.1.
Additional Information
If you discover a security vulnerability in one of our products or websites, please report the issue to Snowflake through our Vulnerability Disclosure Program hosted at HackerOne. For more information, please see our Vulnerability Disclosure Policy.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.23.0"
},
"package": {
"ecosystem": "Maven",
"name": "net.snowflake:snowflake-jdbc"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.13"
},
{
"fixed": "3.23.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27496"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-13T18:57:46Z",
"nvd_published_at": "2025-03-13T19:15:52Z",
"severity": "LOW"
},
"details": "### Issue\nSnowflake discovered and remediated a vulnerability in the Snowflake JDBC driver (\u201cDriver\u201d). When the logging level was set to DEBUG, the Driver would log locally the client-side encryption master key of the target stage during the execution of GET/PUT commands. This key by itself does not grant access to any sensitive data without additional access authorizations, and is not logged server-side by Snowflake.\n\nThis vulnerability affects Driver versions 3.0.13 through 3.23.0. Snowflake fixed the issue in version 3.23.1.\n\n### Vulnerability Details\nWhen the logging level was set to DEBUG, the Driver would locally log the client-side encryption master key of the target stage during the execution of GET/PUT commands. The key was logged in a JSON object under the queryStageMasterKey key. The key by itself does not grant access to any sensitive data.\n\n### Solution\nSnowflake released version 3.23.1 of the Snowflake JDBC driver, which fixes this issue. We highly recommend users upgrade to version 3.23.1.\n\n### Additional Information\nIf you discover a security vulnerability in one of our products or websites, please report the issue to Snowflake through our Vulnerability Disclosure Program hosted at HackerOne. For more information, please see our [Vulnerability Disclosure Policy](https://hackerone.com/snowflake?type=team).",
"id": "GHSA-q298-375f-5q63",
"modified": "2025-03-13T21:39:12Z",
"published": "2025-03-13T18:57:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/snowflakedb/snowflake-jdbc/security/advisories/GHSA-q298-375f-5q63"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27496"
},
{
"type": "WEB",
"url": "https://github.com/snowflakedb/snowflake-jdbc/commit/ef81582ce2f1dbc3c8794a696c94f4fe65fad507"
},
{
"type": "PACKAGE",
"url": "https://github.com/snowflakedb/snowflake-jdbc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Snowflake JDBC Driver client-side encryption key in DEBUG logs"
}
GHSA-Q3P5-XQF4-5MGF
Vulnerability from github – Published: 2023-12-12 18:31 – Updated: 2023-12-12 18:31An issue was discovered by Elastic whereby the Documents API of App Search logged the raw contents of indexed documents at INFO log level. Depending on the contents of such documents, this could lead to the insertion of sensitive or private information in the App Search logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by changing the log level at which these are logged to DEBUG, which is disabled by default.
{
"affected": [],
"aliases": [
"CVE-2023-49923"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-12T18:15:23Z",
"severity": "MODERATE"
},
"details": " An issue was discovered by Elastic whereby the Documents API of App Search logged the raw contents of indexed documents at INFO log level. Depending on the contents of such documents, this could lead to the insertion of sensitive or private information in the App Search logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by changing the log level at which these are logged to DEBUG, which is disabled by default.",
"id": "GHSA-q3p5-xqf4-5mgf",
"modified": "2023-12-12T18:31:35Z",
"published": "2023-12-12T18:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49923"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/enterprise-search-8-11-2-7-17-16-security-update-esa-2023-31/349181"
},
{
"type": "WEB",
"url": "https://www.elastic.co/community/security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q433-J342-RP9H
Vulnerability from github – Published: 2026-01-15 18:11 – Updated: 2026-01-15 20:17Summary
The http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend.
Details
It’s better to remove both lines, as this information makes little sense in this context anyway.
https://github.com/pimcore/pimcore/blob/12.x/bundles/SeoBundle/src/EventListener/ResponseExceptionListener.php#L92 https://github.com/pimcore/pimcore/blob/12.x/bundles/SeoBundle/src/EventListener/ResponseExceptionListener.php#L93
PoC
In the Pimcore backend, navigate to "Search Engine Optimization" and click on "HTTP Errors." Double-click on an entry to view its details. Here, you may find sensitive data exposed.
Impact
Pimcore backend users can access sensitive environment variables, potentially exposing critical information.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 12.3"
},
"package": {
"ecosystem": "Packagist",
"name": "pimcore/pimcore"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0-RC1"
},
{
"fixed": "12.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.5.13"
},
"package": {
"ecosystem": "Packagist",
"name": "pimcore/pimcore"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.5.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-23493"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-15T18:11:46Z",
"nvd_published_at": "2026-01-15T17:16:08Z",
"severity": "HIGH"
},
"details": "### Summary\nThe http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend.\n\n### Details\nIt\u2019s better to remove both lines, as this information makes little sense in this context anyway.\n\nhttps://github.com/pimcore/pimcore/blob/12.x/bundles/SeoBundle/src/EventListener/ResponseExceptionListener.php#L92\nhttps://github.com/pimcore/pimcore/blob/12.x/bundles/SeoBundle/src/EventListener/ResponseExceptionListener.php#L93\n\n### PoC\nIn the Pimcore backend, navigate to \"Search Engine Optimization\" and click on \"HTTP Errors.\" Double-click on an entry to view its details. Here, you may find sensitive data exposed.\n\n### Impact\nPimcore backend users can access sensitive environment variables, potentially exposing critical information.",
"id": "GHSA-q433-j342-rp9h",
"modified": "2026-01-15T20:17:42Z",
"published": "2026-01-15T18:11:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23493"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/pull/18918"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601"
},
{
"type": "PACKAGE",
"url": "https://github.com/pimcore/pimcore"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/releases/tag/v11.5.14"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Pimcore ENV Variables and Cookie Informations are exposed in http_error_log"
}
GHSA-Q4P7-87J5-56XV
Vulnerability from github – Published: 2025-04-01 15:31 – Updated: 2026-04-01 18:34Insertion of Sensitive Information into Log File vulnerability in smackcoders AIO Performance Profiler, Monitor, Optimize, Compress & Debug allows Retrieve Embedded Sensitive Data. This issue affects AIO Performance Profiler, Monitor, Optimize, Compress & Debug: from n/a through 1.2.
{
"affected": [],
"aliases": [
"CVE-2025-31788"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-01T15:16:16Z",
"severity": "MODERATE"
},
"details": "Insertion of Sensitive Information into Log File vulnerability in smackcoders AIO Performance Profiler, Monitor, Optimize, Compress \u0026 Debug allows Retrieve Embedded Sensitive Data. This issue affects AIO Performance Profiler, Monitor, Optimize, Compress \u0026 Debug: from n/a through 1.2.",
"id": "GHSA-q4p7-87j5-56xv",
"modified": "2026-04-01T18:34:20Z",
"published": "2025-04-01T15:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31788"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/all-in-one-performance-accelerator/vulnerability/wordpress-aio-performance-profiler-monitor-optimize-compress-debug-plugin-1-2-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q4P8-C668-H326
Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2022-05-13 01:11The commandline package update tool zypper writes HTTP proxy credentials into its logfile, allowing local attackers to gain access to proxies used.
{
"affected": [],
"aliases": [
"CVE-2017-9271"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-01T20:29:00Z",
"severity": "LOW"
},
"details": "The commandline package update tool zypper writes HTTP proxy credentials into its logfile, allowing local attackers to gain access to proxies used.",
"id": "GHSA-q4p8-c668-h326",
"modified": "2022-05-13T01:11:38Z",
"published": "2022-05-13T01:11:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9271"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1050625"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VP2DNHXEQFHXBCTSREPNR7BU4EX64SQG"
},
{
"type": "WEB",
"url": "https://www.suse.com/de-de/security/cve/CVE-2017-9271"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q5GV-8P63-3QRR
Vulnerability from github – Published: 2024-03-29 18:30 – Updated: 2026-04-28 21:34Insertion of Sensitive Information into Log File vulnerability in Paid Memberships Pro Paid Memberships Pro – Payfast Gateway Add On.This issue affects Paid Memberships Pro – Payfast Gateway Add On: from n/a through 1.4.1.
{
"affected": [],
"aliases": [
"CVE-2024-30514"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-29T16:15:10Z",
"severity": "MODERATE"
},
"details": "Insertion of Sensitive Information into Log File vulnerability in Paid Memberships Pro Paid Memberships Pro \u2013 Payfast Gateway Add On.This issue affects Paid Memberships Pro \u2013 Payfast Gateway Add On: from n/a through 1.4.1.",
"id": "GHSA-q5gv-8p63-3qrr",
"modified": "2026-04-28T21:34:25Z",
"published": "2024-03-29T18:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30514"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/pmpro-payfast/wordpress-paid-memberships-pro-payfast-gateway-add-on-plugin-1-4-1-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.