CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1744 vulnerabilities reference this CWE, most recent first.
GHSA-Q5J5-G96W-H2X7
Vulnerability from github – Published: 2024-10-24 18:30 – Updated: 2024-10-29 15:31A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.6.8, macOS Monterey 12.7.6, iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. A sandboxed app may be able to access sensitive user data in system logs.
{
"affected": [],
"aliases": [
"CVE-2024-44205"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-24T17:15:16Z",
"severity": "MODERATE"
},
"details": "A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.6.8, macOS Monterey 12.7.6, iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. A sandboxed app may be able to access sensitive user data in system logs.",
"id": "GHSA-q5j5-g96w-h2x7",
"modified": "2024-10-29T15:31:59Z",
"published": "2024-10-24T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44205"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120908"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120909"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120910"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120911"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120912"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q5QJ-42FQ-523R
Vulnerability from github – Published: 2022-05-14 03:31 – Updated: 2022-05-14 03:31Ionic Team Cordova plugin iOS Keychain version before commit 18233ca25dfa92cca018b9c0935f43f78fd77fbf contains an Information Exposure Through Log Files (CWE-532) vulnerability in CDVKeychain.m that can result in login, password and other sensitive data leakage. This attack appear to be exploitable via Attacker must have access to victim's iOS logs. This vulnerability appears to have been fixed in after commit 18233ca25dfa92cca018b9c0935f43f78fd77fbf.
{
"affected": [],
"aliases": [
"CVE-2018-1000123"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-13T21:29:00Z",
"severity": "CRITICAL"
},
"details": "Ionic Team Cordova plugin iOS Keychain version before commit 18233ca25dfa92cca018b9c0935f43f78fd77fbf contains an Information Exposure Through Log Files (CWE-532) vulnerability in CDVKeychain.m that can result in login, password and other sensitive data leakage. This attack appear to be exploitable via Attacker must have access to victim\u0027s iOS logs. This vulnerability appears to have been fixed in after commit 18233ca25dfa92cca018b9c0935f43f78fd77fbf.",
"id": "GHSA-q5qj-42fq-523r",
"modified": "2022-05-14T03:31:32Z",
"published": "2022-05-14T03:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000123"
},
{
"type": "WEB",
"url": "https://github.com/ionic-team/cordova-plugin-ios-keychain/pull/29/commits/980230645c8ea3b531b85401de5e4bca0f860e42#diff-936020291e4c2115faff0171f20672a4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q636-FX55-GFR2
Vulnerability from github – Published: 2024-08-19 06:30 – Updated: 2024-08-19 18:32AI Engine < 2.4.3 is susceptible to remote-code-execution (RCE) via Log Poisoning. The AI Engine WordPress plugin before 2.5.1 fails to validate the file extension of "logs_path", allowing Administrators to change log filetypes from .log to .php.
{
"affected": [],
"aliases": [
"CVE-2024-6451"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-19T06:15:05Z",
"severity": "HIGH"
},
"details": "AI Engine \u003c 2.4.3 is susceptible to remote-code-execution (RCE) via Log Poisoning. The AI Engine WordPress plugin before 2.5.1 fails to validate the file extension of \"logs_path\", allowing Administrators to change log filetypes from .log to .php.",
"id": "GHSA-q636-fx55-gfr2",
"modified": "2024-08-19T18:32:07Z",
"published": "2024-08-19T06:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6451"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/fc06d413-a227-470c-a5b7-cdab57aeab34"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q642-PW99-8MX6
Vulnerability from github – Published: 2022-05-17 03:01 – Updated: 2022-05-17 03:01IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 stores potentially sensitive information in in log files that could be read by an authenticated user.
{
"affected": [],
"aliases": [
"CVE-2016-8912"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-01T20:59:00Z",
"severity": "MODERATE"
},
"details": "IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 stores potentially sensitive information in in log files that could be read by an authenticated user.",
"id": "GHSA-q642-pw99-8mx6",
"modified": "2022-05-17T03:01:32Z",
"published": "2022-05-17T03:01:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8912"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/118390"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg21993982"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/94324"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q664-XXJG-CM3G
Vulnerability from github – Published: 2022-05-13 01:15 – Updated: 2022-05-13 01:15On Juniper ATP, the API key and the device key are logged in a file readable by authenticated local users. These keys are used for performing critical operations on the WebUI interface. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.
{
"affected": [],
"aliases": [
"CVE-2019-0004"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-15T21:29:00Z",
"severity": "MODERATE"
},
"details": "On Juniper ATP, the API key and the device key are logged in a file readable by authenticated local users. These keys are used for performing critical operations on the WebUI interface. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.",
"id": "GHSA-q664-xxjg-cm3g",
"modified": "2022-05-13T01:15:19Z",
"published": "2022-05-13T01:15:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0004"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA10918"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q683-8468-R6H6
Vulnerability from github – Published: 2026-06-26 21:00 – Updated: 2026-06-26 21:00Impact
Webauthn\Bundle\Security\Http\Authenticator\WebauthnAuthenticator logs the full Symfony\Component\HttpFoundation\Request object inside the log context of both onAuthenticationSuccess() and onAuthenticationFailure() at INFO level:
$this->logger->info('User has been authenticated successfully with Webauthn.', [
'request' => $request,
'firewallName' => $firewallName,
'identifier' => $token->getUserIdentifier(),
]);
$this->logger->info('Webauthn authentication request failed.', [
'request' => $request,
'exception' => $exception,
]);
Request::__toString() returns the raw HTTP message, including every request header. As soon as the configured logger normalises or stringifies the context (default behaviour for LineFormatter, JsonFormatter via NormalizerFormatter, etc.), sensitive headers such as Cookie (session identifier), Authorization and any custom auth header are written to the log stream in clear text.
Applications that forward logs to centralised platforms (ELK, Splunk, Datadog and similar) are particularly exposed: log access is typically broader than application access, which can allow log readers to hijack authenticated sessions.
Affected versions
Every release prior to 5.3.4 is affected.
Patches
The fix removes the full Request object from the log context and keeps only non-sensitive fields (request path, method, firewall name, user identifier). It is shipped in 5.3.4. Older branches will not receive a backport; users on those branches should upgrade to 5.3.4+ or apply one of the workarounds below.
Workarounds
Until the upgrade is applied, projects can:
- Raise the minimum log level for the WebAuthn authenticator above INFO so these two log records are not emitted in production.
- Configure their Monolog processor/formatter to strip the
requestkey from the context of these records before they are written.
Credit
Reported by Kay Joosten (Dawn Technology), maintainer of Stepup-Webauthn.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "web-auth/webauthn-symfony-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.3.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T21:00:49Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Impact\n\n`Webauthn\\Bundle\\Security\\Http\\Authenticator\\WebauthnAuthenticator` logs the full `Symfony\\Component\\HttpFoundation\\Request` object inside the log context of both `onAuthenticationSuccess()` and `onAuthenticationFailure()` at INFO level:\n\n```php\n$this-\u003elogger-\u003einfo(\u0027User has been authenticated successfully with Webauthn.\u0027, [\n \u0027request\u0027 =\u003e $request,\n \u0027firewallName\u0027 =\u003e $firewallName,\n \u0027identifier\u0027 =\u003e $token-\u003egetUserIdentifier(),\n]);\n\n$this-\u003elogger-\u003einfo(\u0027Webauthn authentication request failed.\u0027, [\n \u0027request\u0027 =\u003e $request,\n \u0027exception\u0027 =\u003e $exception,\n]);\n```\n\n`Request::__toString()` returns the raw HTTP message, including every request header. As soon as the configured logger normalises or stringifies the context (default behaviour for `LineFormatter`, `JsonFormatter` via `NormalizerFormatter`, etc.), sensitive headers such as `Cookie` (session identifier), `Authorization` and any custom auth header are written to the log stream in clear text.\n\nApplications that forward logs to centralised platforms (ELK, Splunk, Datadog and similar) are particularly exposed: log access is typically broader than application access, which can allow log readers to hijack authenticated sessions.\n\n## Affected versions\n\nEvery release prior to 5.3.4 is affected.\n\n## Patches\n\nThe fix removes the full `Request` object from the log context and keeps only non-sensitive fields (request path, method, firewall name, user identifier). It is shipped in 5.3.4. Older branches will not receive a backport; users on those branches should upgrade to 5.3.4+ or apply one of the workarounds below.\n\n## Workarounds\n\nUntil the upgrade is applied, projects can:\n\n1. Raise the minimum log level for the WebAuthn authenticator above INFO so these two log records are not emitted in production.\n2. Configure their Monolog processor/formatter to strip the `request` key from the context of these records before they are written.\n\n## Credit\n\nReported by Kay Joosten (Dawn Technology), maintainer of [Stepup-Webauthn](https://github.com/OpenConext/Stepup-Webauthn).",
"id": "GHSA-q683-8468-r6h6",
"modified": "2026-06-26T21:00:49Z",
"published": "2026-06-26T21:00:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-q683-8468-r6h6"
},
{
"type": "PACKAGE",
"url": "https://github.com/web-auth/webauthn-framework"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "WebauthnAuthenticator leaks sensitive HTTP headers through INFO-level logs"
}
GHSA-Q6FP-96RM-R5MQ
Vulnerability from github – Published: 2024-01-05 12:30 – Updated: 2026-04-28 21:33Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Aaron J 404 Solution.This issue affects 404 Solution: from n/a through 2.33.0.
{
"affected": [],
"aliases": [
"CVE-2023-52146"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-05T11:15:10Z",
"severity": "MODERATE"
},
"details": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Aaron J 404 Solution.This issue affects 404 Solution: from n/a through 2.33.0.",
"id": "GHSA-q6fp-96rm-r5mq",
"modified": "2026-04-28T21:33:45Z",
"published": "2024-01-05T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52146"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/404-solution/wordpress-404-solution-plugin-2-33-0-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q6FR-25PH-FPVF
Vulnerability from github – Published: 2026-06-29 15:32 – Updated: 2026-06-29 15:32HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step.
{
"affected": [],
"aliases": [
"CVE-2026-56457"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-29T14:16:58Z",
"severity": "MODERATE"
},
"details": "HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step.",
"id": "GHSA-q6fr-25ph-fpvf",
"modified": "2026-06-29T15:32:06Z",
"published": "2026-06-29T15:32:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56457"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131694"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q6HQ-Q4XR-93FP
Vulnerability from github – Published: 2022-01-15 00:01 – Updated: 2022-01-22 00:02SAP Business One - version 10.0, extended log stores information that can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
{
"affected": [],
"aliases": [
"CVE-2021-44234"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-14T20:15:00Z",
"severity": "MODERATE"
},
"details": "SAP Business One - version 10.0, extended log stores information that can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.",
"id": "GHSA-q6hq-q4xr-93fp",
"modified": "2022-01-22T00:02:03Z",
"published": "2022-01-15T00:01:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44234"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3106528"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q722-MHCX-9M8W
Vulnerability from github – Published: 2025-01-08 03:30 – Updated: 2025-01-08 03:30IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file under specific conditions.
{
"affected": [],
"aliases": [
"CVE-2024-40679"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-08T01:15:06Z",
"severity": "MODERATE"
},
"details": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file under specific conditions.",
"id": "GHSA-q722-mhcx-9m8w",
"modified": "2025-01-08T03:30:23Z",
"published": "2025-01-08T03:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40679"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7175957"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.