CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1742 vulnerabilities reference this CWE, most recent first.
GHSA-RCW7-PQFP-735X
Vulnerability from github – Published: 2025-09-05 21:02 – Updated: 2025-09-05 21:02Hello Kubernetes Community,
A security issue was discovered in secrets-store-sync-controller where an actor with access to the controller logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when there is a specific error marshaling the parameters sent to the providers.
Am I vulnerable?
To check if tokens are being logged, examine the manager container log:
kubectl logs -l 'app.kubernetes.io/part-of=secrets-store-sync-controller' -c manager -f | grep --line-buffered "csi.storage.k8s.io/serviceAccount.tokens"
Affected Versions
- secrets-store-sync-controller < v0.0.2
How do I mitigate this vulnerability?
Upgrade to secrets-store-sync-controller v0.0.2+
Fixed Versions
- secrets-store-sync-controller >= v0.0.2
Detection
Examine cloud provider logs for unexpected token exchanges, as well as unexpected access to cloud vault secrets.
If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io
Acknowledgements
This vulnerability was reported by Reem Rotenberg and Kas Dekel from Microsoft.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "sigs.k8s.io/secrets-store-sync-controller"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-7445"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-05T21:02:44Z",
"nvd_published_at": "2025-09-05T03:15:31Z",
"severity": "MODERATE"
},
"details": "Hello Kubernetes Community,\n\nA security issue was discovered in secrets-store-sync-controller where an actor with access to the controller logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when there is a specific error marshaling the `parameters` sent to the providers.\n\n### Am I vulnerable?\n\nTo check if tokens are being logged, examine the manager container log:\n\n```bash\nkubectl logs -l \u0027app.kubernetes.io/part-of=secrets-store-sync-controller\u0027 -c manager -f | grep --line-buffered \"csi.storage.k8s.io/serviceAccount.tokens\"\n```\n\n### Affected Versions\n\n- secrets-store-sync-controller \u003c v0.0.2\n\n### How do I mitigate this vulnerability?\n\nUpgrade to secrets-store-sync-controller v0.0.2+\n\n### Fixed Versions\n\n- secrets-store-sync-controller \u003e= v0.0.2\n\n\n### Detection\n\nExamine cloud provider logs for unexpected token exchanges, as well as unexpected access to cloud vault secrets.\n\nIf you find evidence that this vulnerability has been exploited, please contact [security@kubernetes.io](https://groups.google.com/)\n\n### Acknowledgements\n\nThis vulnerability was reported by Reem Rotenberg and [Kas Dekel](https://github.com/privmickas) from Microsoft.",
"id": "GHSA-rcw7-pqfp-735x",
"modified": "2025-09-05T21:02:44Z",
"published": "2025-09-05T21:02:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kubernetes-sigs/secrets-store-sync-controller/security/advisories/GHSA-rcw7-pqfp-735x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7445"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/133897"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes-sigs/secrets-store-sync-controller"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/NP7cQvQ1aGA"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "secrets-store-sync-controller discloses service account tokens in logs"
}
GHSA-RCWX-27FJ-MXF2
Vulnerability from github – Published: 2025-09-10 18:30 – Updated: 2025-09-10 18:30Dell PowerProtect Data Manager, Hyper-V, version(s) 19.19 and 19.20, contain(s) an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access.
{
"affected": [],
"aliases": [
"CVE-2025-43888"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-10T16:15:37Z",
"severity": "HIGH"
},
"details": "Dell PowerProtect Data Manager, Hyper-V, version(s) 19.19 and 19.20, contain(s) an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access.",
"id": "GHSA-rcwx-27fj-mxf2",
"modified": "2025-09-10T18:30:15Z",
"published": "2025-09-10T18:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43888"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000367456/dsa-2025-326-security-update-for-dell-powerprotect-data-manager-multiple-security-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RCXF-WCPQ-J795
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14On all versions of Guided Configuration before 8.0.0, when a configuration that contains secure properties is created and deployed from Access Guided Configuration (AGC), secure properties are logged in restnoded logs. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2021-23046"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-14T15:15:00Z",
"severity": "MODERATE"
},
"details": "On all versions of Guided Configuration before 8.0.0, when a configuration that contains secure properties is created and deployed from Access Guided Configuration (AGC), secure properties are logged in restnoded logs. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-rcxf-wcpq-j795",
"modified": "2022-05-24T19:14:24Z",
"published": "2022-05-24T19:14:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23046"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K70652532"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RCXJ-GJXV-RF5C
Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2023-02-02 21:33OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.
{
"affected": [],
"aliases": [
"CVE-2019-14854"
],
"database_specific": {
"cwe_ids": [
"CWE-117",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-07T17:15:00Z",
"severity": "MODERATE"
},
"details": "OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.",
"id": "GHSA-rcxj-gjxv-rf5c",
"modified": "2023-02-02T21:33:45Z",
"published": "2022-05-24T17:05:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:4075"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:4081"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:4091"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:4098"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2019-14854"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14854"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RFVG-559M-H7MR
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43Before Thornberry NDoc version 8.0, laptop clients and the server have default database (Cache) users set up with a single password. This password is left behind in a cleartext log file during client installation on laptops. This password can be used to gain full admin/system access to client devices (if no firewall is present) or the NDoc server itself. Once the password is known to an attacker, local access is not required.
{
"affected": [],
"aliases": [
"CVE-2017-15366"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-26T20:29:00Z",
"severity": "CRITICAL"
},
"details": "Before Thornberry NDoc version 8.0, laptop clients and the server have default database (Cache) users set up with a single password. This password is left behind in a cleartext log file during client installation on laptops. This password can be used to gain full admin/system access to client devices (if no firewall is present) or the NDoc server itself. Once the password is known to an attacker, local access is not required.",
"id": "GHSA-rfvg-559m-h7mr",
"modified": "2022-05-13T01:43:45Z",
"published": "2022-05-13T01:43:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15366"
},
{
"type": "WEB",
"url": "https://gist.github.com/emptythevoid/84248daccce8737f1cdd5b395cf6f32c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RG5F-R5JW-RVXG
Vulnerability from github – Published: 2025-02-19 12:31 – Updated: 2025-08-25 03:33Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p27, <2.2.0p40, and 2.1.0p51 (EOL) causes LDAP credentials to be written to Apache error log file accessible to administrators.
{
"affected": [],
"aliases": [
"CVE-2025-1075"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-19T10:15:09Z",
"severity": "MODERATE"
},
"details": "Insertion of Sensitive Information into Log File in Checkmk GmbH\u0027s Checkmk versions \u003c2.3.0p27, \u003c2.2.0p40, and 2.1.0p51 (EOL) causes LDAP credentials to be written to Apache error log file accessible to administrators.",
"id": "GHSA-rg5f-r5jw-rvxg",
"modified": "2025-08-25T03:33:05Z",
"published": "2025-02-19T12:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1075"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/17495"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RHR8-H74G-4F3H
Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2025-06-05 00:31Philips DreamMapper, Version 2.24 and prior. Information written to log files can give guidance to a potential attacker.
{
"affected": [],
"aliases": [
"CVE-2020-14518"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-21T13:15:00Z",
"severity": "MODERATE"
},
"details": "Philips DreamMapper, Version 2.24 and prior. Information written to log files can give guidance to a potential attacker.",
"id": "GHSA-rhr8-h74g-4f3h",
"modified": "2025-06-05T00:31:17Z",
"published": "2022-05-24T17:26:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14518"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-212-01"
},
{
"type": "WEB",
"url": "https://www.philips.com/a-w/security/security-advisories/product-security-2020.html#2020_archive"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RJ3H-XXG4-Q2H4
Vulnerability from github – Published: 2026-02-10 21:31 – Updated: 2026-02-10 21:31The vulnerability, if exploited, could allow an attacker with Event Log Reader (S-1-5-32-573) privileges to obtain proxy details, including URL and proxy credentials, from the PI to CONNECT event log files. This could enable unauthorized access to the proxy server.
{
"affected": [],
"aliases": [
"CVE-2026-1495"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-10T21:16:01Z",
"severity": "MODERATE"
},
"details": "The vulnerability, if exploited, could allow an attacker with Event Log Reader (S-1-5-32-573) privileges to obtain proxy details, including URL and proxy credentials, from the PI to CONNECT event log files. This could enable unauthorized access to the proxy server.",
"id": "GHSA-rj3h-xxg4-q2h4",
"modified": "2026-02-10T21:31:31Z",
"published": "2026-02-10T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1495"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-041-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RJC6-VM4H-85CG
Vulnerability from github – Published: 2024-09-11 19:20 – Updated: 2024-09-11 19:20Summary
The AWS Serverless Application Model (SAM) CLI is an open source tool that allows customers to build, deploy and test their serverless applications built on AWS. AWS SAM CLI can build container (Docker) images and customers can specify arguments in the SAM template that are passed to the Docker engine during build [1].
Impact
If customers specify sensitive data in the DockerBuildArgs parameter of their template, the sensitive data will be shown in clear text in the AWS SAM CLI output via STDERR when running the sam build command.
Patches
A patch is included in aws-sam-cli>=1.122.0.
We strongly recommend customers install AWS SAM CLI v1.122.0 or above. Please review logs produced by your SAM CLI runs if you have used the DockerBuildArgs parameter and consider rotating the secrets if you believe they were exposed.
References
If you have any questions or comments about this issue, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [2] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
[1] https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-using-build.html#build-container-image
[2] https://aws.amazon.com/security/vulnerability-reporting
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "aws-sam-cli"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.122.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-11T19:20:57Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nThe AWS Serverless Application Model (SAM) CLI is an open source tool that allows customers to build, deploy and test their serverless applications built on AWS. AWS SAM CLI can build container (Docker) images and customers can specify arguments in the SAM template that are passed to the Docker engine during build [1].\n\n### Impact\nIf customers specify sensitive data in the DockerBuildArgs parameter of their template, the sensitive data will be shown in clear text in the AWS SAM CLI output via STDERR when running the sam build command.\n\n### Patches\nA patch is included in aws-sam-cli\u003e=1.122.0.\n\nWe strongly recommend customers install AWS SAM CLI v1.122.0 or above. Please review logs produced by your SAM CLI runs if you have used the DockerBuildArgs parameter and consider rotating the secrets if you believe they were exposed.\n\n### References\nIf you have any questions or comments about this issue, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [2] or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.\n\n[1] https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-using-build.html#build-container-image \n\n[2] https://aws.amazon.com/security/vulnerability-reporting\n",
"id": "GHSA-rjc6-vm4h-85cg",
"modified": "2024-09-11T19:20:57Z",
"published": "2024-09-11T19:20:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aws/aws-sam-cli/security/advisories/GHSA-rjc6-vm4h-85cg"
},
{
"type": "PACKAGE",
"url": "https://github.com/aws/aws-sam-cli"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Sensitive Information Exposure Through Insecure Logging For Secrets Like Metadata.DockerBuildArgs"
}
GHSA-RJC9-V6HH-HQ3J
Vulnerability from github – Published: 2022-05-17 00:26 – Updated: 2022-05-17 00:26The rend_service_intro_established function in or/rendservice.c in Tor before 0.2.8.15, 0.2.9.x before 0.2.9.12, 0.3.0.x before 0.3.0.11, 0.3.1.x before 0.3.1.7, and 0.3.2.x before 0.3.2.1-alpha, when SafeLogging is disabled, allows attackers to obtain sensitive information by leveraging access to the log files of a hidden service, because uninitialized stack data is included in an error message about construction of an introduction point circuit.
{
"affected": [],
"aliases": [
"CVE-2017-0380"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-18T16:29:00Z",
"severity": "MODERATE"
},
"details": "The rend_service_intro_established function in or/rendservice.c in Tor before 0.2.8.15, 0.2.9.x before 0.2.9.12, 0.3.0.x before 0.3.0.11, 0.3.1.x before 0.3.1.7, and 0.3.2.x before 0.3.2.1-alpha, when SafeLogging is disabled, allows attackers to obtain sensitive information by leveraging access to the log files of a hidden service, because uninitialized stack data is included in an error message about construction of an introduction point circuit.",
"id": "GHSA-rjc9-v6hh-hq3j",
"modified": "2022-05-17T00:26:09Z",
"published": "2022-05-17T00:26:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0380"
},
{
"type": "WEB",
"url": "https://github.com/torproject/tor/commit/09ea89764a4d3a907808ed7d4fe42abfe64bd486"
},
{
"type": "WEB",
"url": "https://trac.torproject.org/projects/tor/ticket/23490"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3993"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039519"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.