Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1739 vulnerabilities reference this CWE, most recent first.

GHSA-VJW2-GG68-3J52

Vulnerability from github – Published: 2025-02-05 18:34 – Updated: 2025-02-05 18:34
VLAI
Details

When users log in through the webUI or API using local authentication, BIG-IP Next Central Manager may log sensitive information in the pgaudit log files.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-23413"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-05T18:15:31Z",
    "severity": "MODERATE"
  },
  "details": "When users log in through the webUI or API using local authentication, BIG-IP Next Central Manager may log sensitive information in the pgaudit log files. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
  "id": "GHSA-vjw2-gg68-3j52",
  "modified": "2025-02-05T18:34:46Z",
  "published": "2025-02-05T18:34:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23413"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K000149185"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VM8F-QPQ4-4VW6

Vulnerability from github – Published: 2023-10-13 00:30 – Updated: 2024-04-04 08:36
VLAI
Details

An issue was discovered in Plixer Scrutinizer before 19.3.1. It exposes debug logs to unauthenticated users at the /debug/ URL path. With knowledge of valid IP addresses and source types, an unauthenticated attacker can download debug logs containing application-related information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41263"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-12T23:15:11Z",
    "severity": "LOW"
  },
  "details": "An issue was discovered in Plixer Scrutinizer before 19.3.1. It exposes debug logs to unauthenticated users at the /debug/ URL path. With knowledge of valid IP addresses and source types, an unauthenticated attacker can download debug logs containing application-related information.",
  "id": "GHSA-vm8f-qpq4-4vw6",
  "modified": "2024-04-04T08:36:33Z",
  "published": "2023-10-13T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41263"
    },
    {
      "type": "WEB",
      "url": "https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0001.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VMCP-66R5-3PCP

Vulnerability from github – Published: 2024-07-17 16:00 – Updated: 2024-07-17 19:13
VLAI
Summary
Steeltoe Leaks Basic Auth Credentials to Logs After Fetch Registry Error
Details

Summary

When utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry, an error is logged with the Eureka server service URLs but only the first URL is masked.

Details

Package: Steeltoe.Discovery.Eureka Package version: 3.2.1 Branch: "release/3.2" File name: DiscoveryClient.cs Line number: 325 Code in question: _logger.LogError(e, "FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString());

Error message in logs: FetchRegistry Failed for Eureka service urls: https://****:****@eureka1.com:443/eureka,https://user:password@eureka2.com:443/eureka

I thought new Uri(clientOptions.EurekaServerServiceUrls) would throw a UriFormatException since there are multiple URLs but my logs are showing two URLs regardless.

PoC

  1. Set Eureka config with multiple server URLs with basic auth
  2. Apologies for not being more descriptive for this step, but I believe we would just need to trigger an exception in FetchFullRegistryAsync.
  3. Check the logs and should see the error

Impact

Vulnerability: Credential leakage in the logs Who does it impact?: Users who are using peer awareness with Spring Eureka

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.2.7"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Steeltoe.Discovery.Eureka"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Steeltoe.Discovery.EurekaBase"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 3.0.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Steeltoe.Discovery.ClientCore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Steeltoe.Discovery.ClientAutofac"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-40636"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-17T16:00:10Z",
    "nvd_published_at": "2024-07-17T18:15:04Z",
    "severity": "LOW"
  },
  "details": "### Summary\nWhen utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry, an error is logged with the Eureka server service URLs but only the first URL is masked.\n\n### Details\nPackage: Steeltoe.Discovery.Eureka\nPackage version: 3.2.1\nBranch: \"release/3.2\"\nFile name: `DiscoveryClient.cs`\nLine number: 325\nCode in question:  `_logger.LogError(e, \"FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}\", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString());`\n\n\nError message in logs: `FetchRegistry Failed for Eureka service urls: https://****:****@eureka1.com:443/eureka,https://user:password@eureka2.com:443/eureka`\n\nI thought `new Uri(clientOptions.EurekaServerServiceUrls)` would throw a `UriFormatException` since there are multiple URLs but my logs are showing two URLs regardless.\n\n### PoC\n1. Set Eureka config with multiple server URLs with basic auth\n2. Apologies for not being more descriptive for this step, but I believe we would just need to trigger an exception in `FetchFullRegistryAsync`.\n3. Check the logs and should see the error \n\n### Impact\nVulnerability: Credential leakage in the logs\nWho does it impact?: Users who are using peer awareness with Spring Eureka",
  "id": "GHSA-vmcp-66r5-3pcp",
  "modified": "2024-07-17T19:13:43Z",
  "published": "2024-07-17T16:00:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-vmcp-66r5-3pcp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40636"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SteeltoeOSS/Steeltoe/commit/c5d4a94e90ccb77f8e851bc681a2e348a95e7ecb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SteeltoeOSS/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Steeltoe Leaks Basic Auth Credentials to Logs After Fetch Registry Error"
}

GHSA-VPMF-XXF3-WR92

Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-05-13 01:10
VLAI
Details

Micro Focus Solutions Business Manager versions prior to 11.4 allows a user to invoke SBM RESTful services across domains.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7682"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-22T22:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Micro Focus Solutions Business Manager versions prior to 11.4 allows a user to invoke SBM RESTful services across domains.",
  "id": "GHSA-vpmf-xxf3-wr92",
  "modified": "2022-05-13T01:10:58Z",
  "published": "2022-05-13T01:10:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7682"
    },
    {
      "type": "WEB",
      "url": "http://help.serena.com/doc_center/sbm/ver11_4/sbm_release_notes.htm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VQ4H-6CCR-7PJ2

Vulnerability from github – Published: 2025-07-22 18:30 – Updated: 2025-07-22 18:30
VLAI
Details

Okta On-Premises Provisioning (OPP) agents log certain user data during administrator-initiated password resets. This vulnerability allows an attacker with access to the local servers running OPP agents to retrieve user personal information and temporary passwords created during password reset. You are affected by this vulnerability if the following preconditions are met: Local server running OPP agent with versions >=2.2.1 and <= 2.3.0, and User account has had an administrator-initiated password reset while using the affected versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7371"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-22T16:15:34Z",
    "severity": "MODERATE"
  },
  "details": "Okta On-Premises Provisioning (OPP) agents log certain user data during administrator-initiated password resets. This vulnerability allows an attacker with access to the local servers running OPP agents to retrieve user personal information and temporary passwords created during password reset. You are affected by this vulnerability if the following preconditions are met: Local server running OPP agent with versions \u003e=2.2.1 and \u003c= 2.3.0, and User account has had an administrator-initiated password reset while using the affected versions.",
  "id": "GHSA-vq4h-6ccr-7pj2",
  "modified": "2025-07-22T18:30:42Z",
  "published": "2025-07-22T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7371"
    },
    {
      "type": "WEB",
      "url": "https://help.okta.com/oie/en-us/content/topics/settings/version_histories/ver_history_opp_agent.htm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VQ4P-PJ29-GGRF

Vulnerability from github – Published: 2025-02-21 06:31 – Updated: 2026-04-08 18:33
VLAI
Details

The Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.3.9 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information about users contained in the exposed log files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13818"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-21T04:15:09Z",
    "severity": "MODERATE"
  },
  "details": "The Registration Forms \u2013 User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form \u0026 Content Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.3.9 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information about users contained in the exposed log files.",
  "id": "GHSA-vq4p-pj29-ggrf",
  "modified": "2026-04-08T18:33:49Z",
  "published": "2025-02-21T06:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13818"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/pie-register/trunk/classes/base_variables.php#L68"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3255985%40pie-register%2Ftrunk\u0026old=3246810%40pie-register%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/768730c1-a70e-432d-a234-4ce2b8aec424?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VQCX-8F7G-FM7C

Vulnerability from github – Published: 2022-05-17 02:47 – Updated: 2025-04-20 03:36
VLAI
Details

On the TP-Link TL-SG108E 1.0, a remote attacker could retrieve credentials from "Switch Info" log lines where passwords are in cleartext. This affects the 1.1.2 Build 20141017 Rel.50749 firmware.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8075"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-23T16:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "On the TP-Link TL-SG108E 1.0, a remote attacker could retrieve credentials from \"Switch Info\" log lines where passwords are in cleartext. This affects the 1.1.2 Build 20141017 Rel.50749 firmware.",
  "id": "GHSA-vqcx-8f7g-fm7c",
  "modified": "2025-04-20T03:36:32Z",
  "published": "2022-05-17T02:47:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8075"
    },
    {
      "type": "WEB",
      "url": "https://chmod750.com/2017/04/23/vulnerability-disclosure-tp-link"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97983"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VQF5-2XX6-9WFM

Vulnerability from github – Published: 2025-01-24 18:44 – Updated: 2025-03-31 21:55
VLAI
Summary
GitHub PAT written to debug artifacts
Details

Impact summary

In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to the repository would be able to access this artifact, containing any secrets from the environment.

For some affected workflow runs, the exposed environment variables in the debug artifacts included a valid GITHUB_TOKEN for the workflow run, which has access to the repository in which the workflow ran, and all the permissions specified in the workflow or job. The GITHUB_TOKEN is valid until the job completes or 24 hours has elapsed, whichever comes first.

Environment variables are exposed only from workflow runs that satisfy all of the following conditions: - Code scanning workflow configured to scan the Java/Kotlin languages. - Running in a repository containing Kotlin source code. - Running with debug artifacts enabled. - Using CodeQL Action versions <= 3.28.2, and CodeQL CLI versions >= 2.9.2 (May 2022) and <= 2.20.2. - The workflow run fails before the CodeQL database is finalized within the github/codeql-action/analyze step. - Running in any GitHub environment: GitHub.com, GitHub Enterprise Cloud, and GitHub Enterprise Server. (Note: artifacts are only accessible to users within the same GitHub environment with access to the scanned repo.)

The GITHUB_TOKEN exposed in this way would only have been valid for workflow runs that satisfy all of the following conditions, in addition to the conditions above: - Using CodeQL Action versions >= 3.26.11 (October 2024) and <= 3.28.2, or >= 2.26.11 and < 3. - Running in GitHub.com or GitHub Enterprise Cloud only (not valid on GitHub Enterprise Server).

In rare cases during advanced setup, logging of environment variables may also occur during database creation of Java, Swift, and C/C++. Please read the corresponding CodeQL CLI advisory GHSA-gqh3-9prg-j95m for more details.

Impact details

In CodeQL CLI versions >= 2.9.2 and <= 2.20.2, the CodeQL Kotlin extractor logs all environment variables by default into an intermediate file during the process of creating a CodeQL database for Kotlin code. This is a part of the CodeQL CLI and is invoked by the CodeQL Action for analyzing Kotlin repositories. On Actions, the environment variables logged include GITHUB_TOKEN, which grants permissions to the repository being scanned.

The intermediate file containing environment variables is deleted when finalizing the database, so it is not included in a successfully created database. It is, however, included in the debug artifact that is uploaded on a failed analysis run if the CodeQL Action was invoked in debug mode.

Therefore, under these specific circumstances (incomplete database creation using the CodeQL Action in debug mode) an attacker with access to the debug artifact would gain unauthorized access to repository secrets from the environment, including both the GITHUB_TOKEN and any user-configured secrets made available via environment variables.

The impact of the GITHUB_TOKEN leaked in this environment is limited: - For workflows on GitHub.com and GitHub Enterprise Cloud using CodeQL Action versions >= 3.26.11 and <= 3.28.2, or >= 2.26.11 and < 3, which in turn use the actions/artifacts v4 library, the debug artifact is uploaded before the workflow job completes. During this time the GITHUB_TOKEN is still valid, providing an opportunity for attackers to gain access to the repository. - For all other workflows, the debug artifact is uploaded after the workflow job completes, at which point the leaked GITHUB_TOKEN has been revoked and cannot be used to access the repository.

Mitigations

Update to CodeQL Action version 3.28.3 or later, or CodeQL CLI version 2.20.3 or later.

Patches

This vulnerability has been fixed in CodeQL Action version 3.28.3, which no longer uploads database artifacts in debug mode. This vulnerability will be fixed in CodeQL CLI version 2.20.3, in which database creation for all languages no longer logs the complete environment by default.

References

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.28.2"
      },
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "github/codeql-action"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.26.11"
            },
            {
              "fixed": "3.28.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 3.0.0"
      },
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "github/codeql-action"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.26.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24362"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-215",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-24T18:44:55Z",
    "nvd_published_at": "2025-01-24T18:15:32Z",
    "severity": "HIGH"
  },
  "details": "### Impact summary\n\nIn some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to the repository would be able to access this artifact, containing any secrets from the environment.\n\nFor some affected workflow runs, the exposed environment variables in the debug artifacts included a valid `GITHUB_TOKEN` for the workflow run, which has access to the repository in which the workflow ran, and all the permissions specified in the workflow or job. The `GITHUB_TOKEN` is valid until the job completes or 24 hours has elapsed, whichever comes first.\n\nEnvironment variables are exposed only from workflow runs that satisfy all of the following conditions:\n- Code scanning workflow configured to scan the Java/Kotlin languages.\n- Running in a repository containing Kotlin source code.\n- Running with [debug artifacts enabled](https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning/logs-not-detailed-enough).\n- Using CodeQL Action versions \u003c= 3.28.2, and CodeQL CLI versions \u003e= 2.9.2 (May 2022) and \u003c= 2.20.2.\n- The workflow run fails before the CodeQL database is finalized within the `github/codeql-action/analyze` step.\n- Running in any GitHub environment: GitHub.com, GitHub Enterprise Cloud, and GitHub Enterprise Server. (Note: artifacts are only accessible to users within the same GitHub environment with access to the scanned repo.)\n\nThe `GITHUB_TOKEN` exposed in this way would only have been valid for workflow runs that satisfy all of the following conditions, in addition to the conditions above:\n- Using CodeQL Action versions \u003e= 3.26.11 (October 2024) and \u003c= 3.28.2, or \u003e= 2.26.11 and \u003c 3.\n- Running in GitHub.com or GitHub Enterprise Cloud only (not valid on GitHub Enterprise Server).\n\nIn rare cases during advanced setup, logging of environment variables may also occur during database creation of Java, Swift, and C/C++. Please read the corresponding CodeQL CLI advisory [GHSA-gqh3-9prg-j95m](https://github.com/github/codeql-cli-binaries/security/advisories/GHSA-gqh3-9prg-j95m) for more details.\n\n\n### Impact details\n\nIn CodeQL CLI versions \u003e= 2.9.2 and \u003c= 2.20.2, the CodeQL Kotlin extractor logs all environment variables by default into an intermediate file during the process of creating a CodeQL database for Kotlin code. \nThis is a part of the CodeQL CLI and is invoked by the CodeQL Action for analyzing Kotlin repositories. \nOn Actions, the environment variables logged include GITHUB_TOKEN, which grants permissions to the repository being scanned.\n\nThe intermediate file containing environment variables is deleted when finalizing the database, so it is not included in a successfully created database. It is, however, included in the debug artifact that is uploaded on a failed analysis run if the CodeQL Action was invoked in debug mode.\n\nTherefore, under these specific circumstances (incomplete database creation using the CodeQL Action in debug mode) an attacker with access to the debug artifact would gain unauthorized access to repository secrets from the environment, including both the `GITHUB_TOKEN` and any user-configured secrets made available via environment variables.\n\nThe impact of the `GITHUB_TOKEN` leaked in this environment is limited:\n- For workflows on GitHub.com and GitHub Enterprise Cloud using CodeQL Action versions \u003e= 3.26.11 and \u003c= 3.28.2, or \u003e= 2.26.11 and \u003c 3, which in turn use the `actions/artifacts v4` library, the debug artifact is uploaded before the workflow job completes. During this time the `GITHUB_TOKEN` is still valid, providing an opportunity for attackers to gain access to the repository.\n- For all other workflows, the debug artifact is uploaded after the workflow job completes, at which point the leaked `GITHUB_TOKEN` has been revoked and cannot be used to access the repository.\n\n### Mitigations\n\nUpdate to CodeQL Action version 3.28.3 or later, or CodeQL CLI version 2.20.3 or later.\n\n### Patches\n\nThis vulnerability has been fixed in CodeQL Action version 3.28.3, which no longer uploads database artifacts in debug mode.\nThis vulnerability will be fixed in CodeQL CLI version 2.20.3, in which database creation for all languages no longer logs the complete environment by default.\n\n### References\n\n- [Pull request that bundled CodeQL CLI 2.9.2 with Kotlin extractor environment variable logging ](https://github.com/github/codeql-action/pull/1074)\n- [Pull request that introduced the `actions/artifacts v4` library, allowing for `GITHUB_TOKEN` exposure in the CodeQL Action debug artifacts before the token was revoked](https://github.com/github/codeql-action/pull/2482)\n- [Related security advisory for the CodeQL CLI](https://github.com/github/codeql-cli-binaries/security/advisories/GHSA-gqh3-9prg-j95m)",
  "id": "GHSA-vqf5-2xx6-9wfm",
  "modified": "2025-03-31T21:55:42Z",
  "published": "2025-01-24T18:44:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/github/codeql-action/security/advisories/GHSA-vqf5-2xx6-9wfm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/codeql-cli-binaries/security/advisories/GHSA-gqh3-9prg-j95m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24362"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/codeql-action/pull/1074"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/codeql-action/pull/2482"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/codeql-action/commit/519de26711ecad48bde264c51e414658a82ef3fa"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning/logs-not-detailed-enough"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/github/codeql-action"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=43527044"
    },
    {
      "type": "WEB",
      "url": "https://www.praetorian.com/blog/codeqleaked-public-secrets-exposure-leads-to-supply-chain-attack-on-github-codeql"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "GitHub PAT written to debug artifacts"
}

GHSA-VRHQ-HX93-3CXP

Vulnerability from github – Published: 2021-11-30 00:00 – Updated: 2022-07-13 00:01
VLAI
Details

Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read application log files containing sensitive information via a predictable /log URI.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38283"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-29T08:15:00Z",
    "severity": "HIGH"
  },
  "details": "Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read application log files containing sensitive information via a predictable /log URI.",
  "id": "GHSA-vrhq-hx93-3cxp",
  "modified": "2022-07-13T00:01:34Z",
  "published": "2021-11-30T00:00:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38283"
    },
    {
      "type": "WEB",
      "url": "https://www.wipro.com/holmes"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/165031/Wipro-Holmes-Orchestrator-20.4.1-File-Disclosure.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VRXH-2FG8-68V6

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12
VLAI
Details

OpenEMR 6.0.0 has a pnotes_print.php?noteid= Insecure Direct Object Reference vulnerability via which an attacker can read the messages of all users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40352"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-01T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "OpenEMR 6.0.0 has a pnotes_print.php?noteid= Insecure Direct Object Reference vulnerability via which an attacker can read the messages of all users.",
  "id": "GHSA-vrxh-2fg8-68v6",
  "modified": "2022-05-24T19:12:48Z",
  "published": "2022-05-24T19:12:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40352"
    },
    {
      "type": "WEB",
      "url": "https://github.com/allenenosh/CVE-2021-40352"
    },
    {
      "type": "WEB",
      "url": "https://www.open-emr.org/wiki/index.php/Securing_OpenEMR"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/164011/OpenEMR-6.0.0-Insecure-Direct-Object-Reference.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.