CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1744 vulnerabilities reference this CWE, most recent first.
GHSA-QV9R-4W4X-36G7
Vulnerability from github – Published: 2023-08-11 15:30 – Updated: 2024-04-04 06:52Plaintext Password vulnerability in AddAdmin.py in cms-dev/cms v1.4.rc1, allows attackers to gain sensitive information via audit logs.
{
"affected": [],
"aliases": [
"CVE-2020-24804"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-11T14:15:10Z",
"severity": "MODERATE"
},
"details": "Plaintext Password vulnerability in AddAdmin.py in cms-dev/cms v1.4.rc1, allows attackers to gain sensitive information via audit logs.",
"id": "GHSA-qv9r-4w4x-36g7",
"modified": "2024-04-04T06:52:36Z",
"published": "2023-08-11T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24804"
},
{
"type": "WEB",
"url": "https://github.com/cms-dev/cms/issues/1160"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QWQW-5HFM-4VGG
Vulnerability from github – Published: 2024-02-06 12:30 – Updated: 2024-02-06 12:30In JetBrains Rider before 2023.3.3 logging of environment variables containing secret values was possible
{
"affected": [],
"aliases": [
"CVE-2024-24939"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-06T10:15:10Z",
"severity": "LOW"
},
"details": "In JetBrains Rider before 2023.3.3 logging of environment variables containing secret values was possible",
"id": "GHSA-qwqw-5hfm-4vgg",
"modified": "2024-02-06T12:30:31Z",
"published": "2024-02-06T12:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24939"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QX5M-JJ5C-5J9V
Vulnerability from github – Published: 2025-08-26 00:31 – Updated: 2025-08-26 00:31On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-config could then be used to obtain protocol specific passwords in cases where symmetric passwords are required between devices with neighbor protocol relationships.
{
"affected": [],
"aliases": [
"CVE-2025-3456"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-25T20:15:39Z",
"severity": "LOW"
},
"details": "On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-config could then be used to obtain protocol specific passwords in cases where symmetric passwords are required between devices with neighbor protocol relationships.",
"id": "GHSA-qx5m-jj5c-5j9v",
"modified": "2025-08-26T00:31:14Z",
"published": "2025-08-26T00:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3456"
},
{
"type": "WEB",
"url": "https://https://www.arista.com/en/support/advisories-notices/security-advisory/22022-security-advisory-0122"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QX7G-FX8Q-545G
Vulnerability from github – Published: 2025-06-06 15:49 – Updated: 2025-06-13 15:28CWE ID: CWE-532 (Insertion of Sensitive Information into Log File) CVSS: 6.2 (Medium) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Component: Facebook Authentication Logging Version: Para v1.50.6 File Path: para-1.50.6/para-server/src/main/java/com/erudika/para/server/security/filters/FacebookAuthFilter.java Vulnerable Line(s): Line 184 (logger.warn(...) with raw access token)
Technical Details:
The vulnerability is located in FacebookAuthFilter.java, where a failed request to Facebook’s user profile endpoint triggers the following log statement:
logger.warn("Facebook auth request failed: GET " + PROFILE_URL + accessToken, e);`
Here, PROFILE_URL is a constant:
private static final String PROFILE_URL = "https://graph.facebook.com/me?fields=name,email,picture.width(400).type(square).height(400)&access_token=";
This results in the full request URL being logged, including the user's access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.erudika:para-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.50.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-49009"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-06T15:49:58Z",
"nvd_published_at": "2025-06-05T17:15:29Z",
"severity": "MODERATE"
},
"details": "CWE ID: CWE-532 (Insertion of Sensitive Information into Log File)\nCVSS: 6.2 (Medium)\nVector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n\n**Affected Component:** Facebook Authentication Logging\n**Version:** Para v1.50.6\n**File Path:** para-1.50.6/para-server/src/main/java/com/erudika/para/server/security/filters/FacebookAuthFilter.java\n**Vulnerable Line(s):** Line 184 (logger.warn(...) with raw access token)\n\nTechnical Details:\n\nThe vulnerability is located in FacebookAuthFilter.java, where a failed request to Facebook\u2019s user profile endpoint triggers the following log statement:\n```java\nlogger.warn(\"Facebook auth request failed: GET \" + PROFILE_URL + accessToken, e);`\n```\n\nHere, `PROFILE_URL` is a constant:\n```java\nprivate static final String PROFILE_URL = \"https://graph.facebook.com/me?fields=name,email,picture.width(400).type(square).height(400)\u0026access_token=\";\n```\nThis results in the full request URL being logged, including the user\u0027s access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure.",
"id": "GHSA-qx7g-fx8q-545g",
"modified": "2025-06-13T15:28:47Z",
"published": "2025-06-06T15:49:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Erudika/para/security/advisories/GHSA-qx7g-fx8q-545g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49009"
},
{
"type": "WEB",
"url": "https://github.com/Erudika/para/commit/46a908d887da02037384193f70a69345f04887cf"
},
{
"type": "PACKAGE",
"url": "https://github.com/Erudika/para"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Para Inserts Sensitive Information into Log File for Facebook authentication"
}
GHSA-QXMC-P4V9-VCQQ
Vulnerability from github – Published: 2024-01-01 15:30 – Updated: 2024-01-08 18:30The PayHere Payment Gateway WordPress plugin before 2.2.12 automatically creates publicly-accessible log files containing sensitive information when transactions occur.
{
"affected": [],
"aliases": [
"CVE-2023-6064"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-01T15:15:43Z",
"severity": "HIGH"
},
"details": "The PayHere Payment Gateway WordPress plugin before 2.2.12 automatically creates publicly-accessible log files containing sensitive information when transactions occur.",
"id": "GHSA-qxmc-p4v9-vcqq",
"modified": "2024-01-08T18:30:26Z",
"published": "2024-01-01T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6064"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/423c8881-628b-4380-9677-65b3f5165efe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R22F-RMV4-8Q7H
Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2021-12-18 00:01In handleUpdateNetworkState of GnssNetworkConnectivityHandler.java , there is a possible APN disclosure due to log information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-191086488
{
"affected": [],
"aliases": [
"CVE-2021-0997"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T19:15:00Z",
"severity": "MODERATE"
},
"details": "In handleUpdateNetworkState of GnssNetworkConnectivityHandler.java , there is a possible APN disclosure due to log information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-191086488",
"id": "GHSA-r22f-rmv4-8q7h",
"modified": "2021-12-18T00:01:19Z",
"published": "2021-12-16T00:01:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0997"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2021-12-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R24Q-43J9-J222
Vulnerability from github – Published: 2022-03-31 00:00 – Updated: 2022-04-06 00:01In ArrayMap, there is a possible leak of the content of SMS messages due to log information disclosure. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-184525194
{
"affected": [],
"aliases": [
"CVE-2021-39739"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-30T16:15:00Z",
"severity": "LOW"
},
"details": "In ArrayMap, there is a possible leak of the content of SMS messages due to log information disclosure. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-184525194",
"id": "GHSA-r24q-43j9-j222",
"modified": "2022-04-06T00:01:56Z",
"published": "2022-03-31T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39739"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-12l"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R2PH-VGMF-8GQH
Vulnerability from github – Published: 2024-11-18 06:30 – Updated: 2024-11-18 18:30AnyDesk through 8.1.0 on Windows, when Allow Direct Connections is enabled, inadvertently exposes a public IP address within network traffic. The attacker must know the victim's AnyDesk ID.
{
"affected": [],
"aliases": [
"CVE-2024-52940"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-18T05:15:05Z",
"severity": "HIGH"
},
"details": "AnyDesk through 8.1.0 on Windows, when Allow Direct Connections is enabled, inadvertently exposes a public IP address within network traffic. The attacker must know the victim\u0027s AnyDesk ID.",
"id": "GHSA-r2ph-vgmf-8gqh",
"modified": "2024-11-18T18:30:54Z",
"published": "2024-11-18T06:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52940"
},
{
"type": "WEB",
"url": "https://download.anydesk.com/changelog.txt"
},
{
"type": "WEB",
"url": "https://github.com/ebrasha/abdal-anydesk-remote-ip-detector"
},
{
"type": "WEB",
"url": "https://x.com/ProfShafiei/status/1850856458017009830"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R33Q-8FQQ-HPHJ
Vulnerability from github – Published: 2022-05-14 02:18 – Updated: 2022-05-14 02:18An issue was discovered on Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys devices, allowing attackers to obtain sensitive information (such as text-message content) by reading a copy of the Android log on the SD card. The system-wide Android logs are not directly available to third-party apps since they tend to contain sensitive data. Third-party apps can read from the log but only the log messages that the app itself has written. Certain apps can leak data to the Android log due to not sanitizing log messages, which is in an insecure programming practice. Pre-installed system apps and apps that are signed with the framework key can read from the system-wide Android log. We found a pre-installed app on the Orbic Wonder that when started via an Intent will write the Android log to the SD card, also known as external storage, via com.ckt.mmitest.MmiMainActivity. Any app that requests the READ_EXTERNAL_STORAGE permission can read from the SD card. Therefore, a local app on the device can quickly start a specific component in the pre-installed system app to have the Android log written to the SD card. Therefore, any app co-located on the device with the READ_EXTERNAL_STORAGE permission can obtain the data contained within the Android log and continually monitor it and mine the log for relevant data. In addition, the default messaging app (com.android.mms) writes the body of sent and received text messages to the Android log, as well as the recipient phone number for sent text messages and the sending phone number for received text messages. In addition, any call data contains phone numbers for sent and received calls.
{
"affected": [],
"aliases": [
"CVE-2018-6599"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-29T19:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered on Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys devices, allowing attackers to obtain sensitive information (such as text-message content) by reading a copy of the Android log on the SD card. The system-wide Android logs are not directly available to third-party apps since they tend to contain sensitive data. Third-party apps can read from the log but only the log messages that the app itself has written. Certain apps can leak data to the Android log due to not sanitizing log messages, which is in an insecure programming practice. Pre-installed system apps and apps that are signed with the framework key can read from the system-wide Android log. We found a pre-installed app on the Orbic Wonder that when started via an Intent will write the Android log to the SD card, also known as external storage, via com.ckt.mmitest.MmiMainActivity. Any app that requests the READ_EXTERNAL_STORAGE permission can read from the SD card. Therefore, a local app on the device can quickly start a specific component in the pre-installed system app to have the Android log written to the SD card. Therefore, any app co-located on the device with the READ_EXTERNAL_STORAGE permission can obtain the data contained within the Android log and continually monitor it and mine the log for relevant data. In addition, the default messaging app (com.android.mms) writes the body of sent and received text messages to the Android log, as well as the recipient phone number for sent text messages and the sending phone number for received text messages. In addition, any call data contains phone numbers for sent and received calls.",
"id": "GHSA-r33q-8fqq-hphj",
"modified": "2022-05-14T02:18:48Z",
"published": "2022-05-14T02:18:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6599"
},
{
"type": "WEB",
"url": "https://www.kryptowire.com/portal/android-firmware-defcon-2018"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R35R-RM7G-V9M8
Vulnerability from github – Published: 2026-07-01 18:31 – Updated: 2026-07-01 18:31Insertion of Sensitive Information into Log File (CWE-532) in Kibana can lead to information disclosure. When the optional application performance monitoring (APM) instrumentation is enabled, sensitive request header values could be recorded in application logs, where they may be accessible to operators with log access.
{
"affected": [],
"aliases": [
"CVE-2026-49088"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-01T17:16:35Z",
"severity": "MODERATE"
},
"details": "Insertion of Sensitive Information into Log File (CWE-532) in Kibana can lead to information disclosure. When the optional application performance monitoring (APM) instrumentation is enabled, sensitive request header values could be recorded in application logs, where they may be accessible to operators with log access.",
"id": "GHSA-r35r-rm7g-v9m8",
"modified": "2026-07-01T18:31:54Z",
"published": "2026-07-01T18:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49088"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/kibana-8-18-9-8-19-6-9-0-8-9-1-6-security-update-esa-2026-50"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.