CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1744 vulnerabilities reference this CWE, most recent first.
GHSA-QGMM-F2QW-R95F
Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2024-04-22 23:11A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-1698"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-22T23:11:33Z",
"nvd_published_at": "2020-05-11T14:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality.",
"id": "GHSA-qgmm-f2qw-r95f",
"modified": "2024-04-22T23:11:33Z",
"published": "2022-05-24T17:17:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1698"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/pull/6751"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/62c9e1577618470832ede22dcedd46cba15b1836"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1698"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak leaks sensitive information in logged exceptions"
}
GHSA-QGVX-32F8-PQ66
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2023-01-31 21:30IBM Robotic Process Automation with Automation Anywhere 11 could allow a local user to obtain highly sensitive information from log files when debugging is enabled. IBM X-Force ID: 160765.
{
"affected": [],
"aliases": [
"CVE-2019-4299"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-01T15:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Robotic Process Automation with Automation Anywhere 11 could allow a local user to obtain highly sensitive information from log files when debugging is enabled. IBM X-Force ID: 160765.",
"id": "GHSA-qgvx-32f8-pq66",
"modified": "2023-01-31T21:30:17Z",
"published": "2022-05-24T16:49:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4299"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/160765"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10884842"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QGWP-X6H8-QX34
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05Improper log management vulnerability in Watch Active2 PlugIn prior to 2.2.08.21033151 version allows attacker with log permissions to leak Wi-Fi password connected to the user smartphone via log.
{
"affected": [],
"aliases": [
"CVE-2021-25423"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-11T15:15:00Z",
"severity": "MODERATE"
},
"details": "Improper log management vulnerability in Watch Active2 PlugIn prior to 2.2.08.21033151 version allows attacker with log permissions to leak Wi-Fi password connected to the user smartphone via log.",
"id": "GHSA-qgwp-x6h8-qx34",
"modified": "2022-05-24T19:05:06Z",
"published": "2022-05-24T19:05:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25423"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=6"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QH9X-MC42-VG4G
Vulnerability from github – Published: 2022-05-14 03:32 – Updated: 2024-11-18 16:26Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app. This vulnerability appears to have been fixed in v1.4.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "django-anymail"
},
"ranges": [
{
"events": [
{
"introduced": "0.2"
},
{
"fixed": "1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000089"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-27T21:33:52Z",
"nvd_published_at": "2018-03-13T15:29:00Z",
"severity": "CRITICAL"
},
"details": "Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app. This vulnerability appears to have been fixed in v1.4.",
"id": "GHSA-qh9x-mc42-vg4g",
"modified": "2024-11-18T16:26:21Z",
"published": "2022-05-14T03:32:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000089"
},
{
"type": "WEB",
"url": "https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-qh9x-mc42-vg4g"
},
{
"type": "PACKAGE",
"url": "https://github.com/anymail/django-anymail"
},
{
"type": "WEB",
"url": "https://github.com/anymail/django-anymail/releases/tag/v1.4"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-anymail/PYSEC-2018-46.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "django-anymail Includes Sensitive Information in Log Files"
}
GHSA-QHQ8-VG87-FPM2
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46An issue was discovered in Devolutions Server before 2020.3. There is an exposure of sensitive information in diagnostic files.
{
"affected": [],
"aliases": [
"CVE-2021-23924"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-01T22:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Devolutions Server before 2020.3. There is an exposure of sensitive information in diagnostic files.",
"id": "GHSA-qhq8-vg87-fpm2",
"modified": "2022-05-24T17:46:25Z",
"published": "2022-05-24T17:46:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23924"
},
{
"type": "WEB",
"url": "https://devolutions.net/security/advisories/devo-2021-0002"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QJ23-W8JM-W8WV
Vulnerability from github – Published: 2025-07-03 12:34 – Updated: 2025-07-03 12:34System environment variables are recorded in Docker Desktop diagnostic logs, when using shell auto-completion. This leads to unintentional disclosure of sensitive information such as api keys, passwords, etc. A malicious actor with read access to these logs could obtain secrets and further use them to gain unauthorized access to other systems. Starting with version 4.43.0 Docker Desktop no longer logs system environment variables as part of diagnostics log collection.
{
"affected": [],
"aliases": [
"CVE-2025-6587"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-03T10:15:37Z",
"severity": "MODERATE"
},
"details": "System environment variables are recorded in Docker Desktop diagnostic logs, when using shell auto-completion. This leads to unintentional disclosure of sensitive information such as api keys, passwords, etc.\u00a0\nA malicious actor with read access to these logs could obtain secrets and further use them to gain unauthorized access to other systems. Starting with version 4.43.0 Docker Desktop no longer logs system environment variables as part of diagnostics log collection.",
"id": "GHSA-qj23-w8jm-w8wv",
"modified": "2025-07-03T12:34:56Z",
"published": "2025-07-03T12:34:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6587"
},
{
"type": "WEB",
"url": "https://docs.docker.com/desktop/troubleshoot-and-support/troubleshoot/#check-the-logs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QJ3C-9P7W-6V83
Vulnerability from github – Published: 2025-04-22 06:30 – Updated: 2025-04-22 06:30Hitachi Ops Center Common Services within Hitachi Ops Center OVA contains an information exposure vulnerability. This issue affects Hitachi Ops Center Common Services: from 11.0.3-00 before 11.0.4-00.
{
"affected": [],
"aliases": [
"CVE-2025-2300"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-22T05:15:30Z",
"severity": "MODERATE"
},
"details": "Hitachi Ops Center Common Services within Hitachi Ops Center OVA contains an information exposure vulnerability.\nThis issue affects Hitachi Ops Center Common Services: from 11.0.3-00 before 11.0.4-00.",
"id": "GHSA-qj3c-9p7w-6v83",
"modified": "2025-04-22T06:30:29Z",
"published": "2025-04-22T06:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2300"
},
{
"type": "WEB",
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2025-112/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QJ6W-VQH8-3WWG
Vulnerability from github – Published: 2023-02-03 18:30 – Updated: 2023-02-10 03:30Incorrect Access Control issue discovered in tpcms 3.2 allows remote attackers to view sensitive information via path in application URL.
{
"affected": [],
"aliases": [
"CVE-2021-36544"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-03T18:15:00Z",
"severity": "HIGH"
},
"details": "Incorrect Access Control issue discovered in tpcms 3.2 allows remote attackers to view sensitive information via path in application URL.",
"id": "GHSA-qj6w-vqh8-3wwg",
"modified": "2023-02-10T03:30:20Z",
"published": "2023-02-03T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36544"
},
{
"type": "WEB",
"url": "https://gitee.com/happy_source/tpcms/issues/I3YNWY"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QJQ5-4C8Q-X94F
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06IBM App Connect Enterprise Certified Container 1.0, 1.1, 1.2, and 1.3 could allow a privileged user to obtain sensitive information from internal log files. IBM X-Force ID: 202212.
{
"affected": [],
"aliases": [
"CVE-2021-29759"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-07T17:15:00Z",
"severity": "LOW"
},
"details": "IBM App Connect Enterprise Certified Container 1.0, 1.1, 1.2, and 1.3 could allow a privileged user to obtain sensitive information from internal log files. IBM X-Force ID: 202212.",
"id": "GHSA-qjq5-4c8q-x94f",
"modified": "2022-05-24T19:06:58Z",
"published": "2022-05-24T19:06:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29759"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/202212"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6469449"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QJQG-4WG7-957H
Vulnerability from github – Published: 2024-05-15 03:30 – Updated: 2025-02-13 18:59A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.29.3"
},
"package": {
"ecosystem": "Go",
"name": "sigs.k8s.io/azurefile-csi-driver"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.29.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "sigs.k8s.io/azurefile-csi-driver"
},
"ranges": [
{
"events": [
{
"introduced": "1.30.0"
},
{
"fixed": "1.30.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.30.0"
]
}
],
"aliases": [
"CVE-2024-3744"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-15T17:16:58Z",
"nvd_published_at": "2024-05-15T01:15:07Z",
"severity": "MODERATE"
},
"details": "A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.",
"id": "GHSA-qjqg-4wg7-957h",
"modified": "2025-02-13T18:59:21Z",
"published": "2024-05-15T03:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3744"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/124759"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes-sigs/azurefile-csi-driver/commit/a1b7446de942136419f07394efeef804523f87ae"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes-sigs/azurefile-csi-driver/commit/e11ff3dc2c03894cde692213308f9991e7bbd5bf"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes-sigs/azurefile-csi-driver"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/hcgZE2MQo1A/m/Y4C6q-CYAgAJ"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/05/09/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "azure-file-csi-driver leaks service account tokens in the logs"
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.