CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1742 vulnerabilities reference this CWE, most recent first.
GHSA-VQF5-2XX6-9WFM
Vulnerability from github – Published: 2025-01-24 18:44 – Updated: 2025-03-31 21:55Impact summary
In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to the repository would be able to access this artifact, containing any secrets from the environment.
For some affected workflow runs, the exposed environment variables in the debug artifacts included a valid GITHUB_TOKEN for the workflow run, which has access to the repository in which the workflow ran, and all the permissions specified in the workflow or job. The GITHUB_TOKEN is valid until the job completes or 24 hours has elapsed, whichever comes first.
Environment variables are exposed only from workflow runs that satisfy all of the following conditions:
- Code scanning workflow configured to scan the Java/Kotlin languages.
- Running in a repository containing Kotlin source code.
- Running with debug artifacts enabled.
- Using CodeQL Action versions <= 3.28.2, and CodeQL CLI versions >= 2.9.2 (May 2022) and <= 2.20.2.
- The workflow run fails before the CodeQL database is finalized within the github/codeql-action/analyze step.
- Running in any GitHub environment: GitHub.com, GitHub Enterprise Cloud, and GitHub Enterprise Server. (Note: artifacts are only accessible to users within the same GitHub environment with access to the scanned repo.)
The GITHUB_TOKEN exposed in this way would only have been valid for workflow runs that satisfy all of the following conditions, in addition to the conditions above:
- Using CodeQL Action versions >= 3.26.11 (October 2024) and <= 3.28.2, or >= 2.26.11 and < 3.
- Running in GitHub.com or GitHub Enterprise Cloud only (not valid on GitHub Enterprise Server).
In rare cases during advanced setup, logging of environment variables may also occur during database creation of Java, Swift, and C/C++. Please read the corresponding CodeQL CLI advisory GHSA-gqh3-9prg-j95m for more details.
Impact details
In CodeQL CLI versions >= 2.9.2 and <= 2.20.2, the CodeQL Kotlin extractor logs all environment variables by default into an intermediate file during the process of creating a CodeQL database for Kotlin code. This is a part of the CodeQL CLI and is invoked by the CodeQL Action for analyzing Kotlin repositories. On Actions, the environment variables logged include GITHUB_TOKEN, which grants permissions to the repository being scanned.
The intermediate file containing environment variables is deleted when finalizing the database, so it is not included in a successfully created database. It is, however, included in the debug artifact that is uploaded on a failed analysis run if the CodeQL Action was invoked in debug mode.
Therefore, under these specific circumstances (incomplete database creation using the CodeQL Action in debug mode) an attacker with access to the debug artifact would gain unauthorized access to repository secrets from the environment, including both the GITHUB_TOKEN and any user-configured secrets made available via environment variables.
The impact of the GITHUB_TOKEN leaked in this environment is limited:
- For workflows on GitHub.com and GitHub Enterprise Cloud using CodeQL Action versions >= 3.26.11 and <= 3.28.2, or >= 2.26.11 and < 3, which in turn use the actions/artifacts v4 library, the debug artifact is uploaded before the workflow job completes. During this time the GITHUB_TOKEN is still valid, providing an opportunity for attackers to gain access to the repository.
- For all other workflows, the debug artifact is uploaded after the workflow job completes, at which point the leaked GITHUB_TOKEN has been revoked and cannot be used to access the repository.
Mitigations
Update to CodeQL Action version 3.28.3 or later, or CodeQL CLI version 2.20.3 or later.
Patches
This vulnerability has been fixed in CodeQL Action version 3.28.3, which no longer uploads database artifacts in debug mode. This vulnerability will be fixed in CodeQL CLI version 2.20.3, in which database creation for all languages no longer logs the complete environment by default.
References
- Pull request that bundled CodeQL CLI 2.9.2 with Kotlin extractor environment variable logging
- Pull request that introduced the
actions/artifacts v4library, allowing forGITHUB_TOKENexposure in the CodeQL Action debug artifacts before the token was revoked - Related security advisory for the CodeQL CLI
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.28.2"
},
"package": {
"ecosystem": "GitHub Actions",
"name": "github/codeql-action"
},
"ranges": [
{
"events": [
{
"introduced": "3.26.11"
},
{
"fixed": "3.28.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 3.0.0"
},
"package": {
"ecosystem": "GitHub Actions",
"name": "github/codeql-action"
},
"ranges": [
{
"events": [
{
"introduced": "2.26.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24362"
],
"database_specific": {
"cwe_ids": [
"CWE-215",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-24T18:44:55Z",
"nvd_published_at": "2025-01-24T18:15:32Z",
"severity": "HIGH"
},
"details": "### Impact summary\n\nIn some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to the repository would be able to access this artifact, containing any secrets from the environment.\n\nFor some affected workflow runs, the exposed environment variables in the debug artifacts included a valid `GITHUB_TOKEN` for the workflow run, which has access to the repository in which the workflow ran, and all the permissions specified in the workflow or job. The `GITHUB_TOKEN` is valid until the job completes or 24 hours has elapsed, whichever comes first.\n\nEnvironment variables are exposed only from workflow runs that satisfy all of the following conditions:\n- Code scanning workflow configured to scan the Java/Kotlin languages.\n- Running in a repository containing Kotlin source code.\n- Running with [debug artifacts enabled](https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning/logs-not-detailed-enough).\n- Using CodeQL Action versions \u003c= 3.28.2, and CodeQL CLI versions \u003e= 2.9.2 (May 2022) and \u003c= 2.20.2.\n- The workflow run fails before the CodeQL database is finalized within the `github/codeql-action/analyze` step.\n- Running in any GitHub environment: GitHub.com, GitHub Enterprise Cloud, and GitHub Enterprise Server. (Note: artifacts are only accessible to users within the same GitHub environment with access to the scanned repo.)\n\nThe `GITHUB_TOKEN` exposed in this way would only have been valid for workflow runs that satisfy all of the following conditions, in addition to the conditions above:\n- Using CodeQL Action versions \u003e= 3.26.11 (October 2024) and \u003c= 3.28.2, or \u003e= 2.26.11 and \u003c 3.\n- Running in GitHub.com or GitHub Enterprise Cloud only (not valid on GitHub Enterprise Server).\n\nIn rare cases during advanced setup, logging of environment variables may also occur during database creation of Java, Swift, and C/C++. Please read the corresponding CodeQL CLI advisory [GHSA-gqh3-9prg-j95m](https://github.com/github/codeql-cli-binaries/security/advisories/GHSA-gqh3-9prg-j95m) for more details.\n\n\n### Impact details\n\nIn CodeQL CLI versions \u003e= 2.9.2 and \u003c= 2.20.2, the CodeQL Kotlin extractor logs all environment variables by default into an intermediate file during the process of creating a CodeQL database for Kotlin code. \nThis is a part of the CodeQL CLI and is invoked by the CodeQL Action for analyzing Kotlin repositories. \nOn Actions, the environment variables logged include GITHUB_TOKEN, which grants permissions to the repository being scanned.\n\nThe intermediate file containing environment variables is deleted when finalizing the database, so it is not included in a successfully created database. It is, however, included in the debug artifact that is uploaded on a failed analysis run if the CodeQL Action was invoked in debug mode.\n\nTherefore, under these specific circumstances (incomplete database creation using the CodeQL Action in debug mode) an attacker with access to the debug artifact would gain unauthorized access to repository secrets from the environment, including both the `GITHUB_TOKEN` and any user-configured secrets made available via environment variables.\n\nThe impact of the `GITHUB_TOKEN` leaked in this environment is limited:\n- For workflows on GitHub.com and GitHub Enterprise Cloud using CodeQL Action versions \u003e= 3.26.11 and \u003c= 3.28.2, or \u003e= 2.26.11 and \u003c 3, which in turn use the `actions/artifacts v4` library, the debug artifact is uploaded before the workflow job completes. During this time the `GITHUB_TOKEN` is still valid, providing an opportunity for attackers to gain access to the repository.\n- For all other workflows, the debug artifact is uploaded after the workflow job completes, at which point the leaked `GITHUB_TOKEN` has been revoked and cannot be used to access the repository.\n\n### Mitigations\n\nUpdate to CodeQL Action version 3.28.3 or later, or CodeQL CLI version 2.20.3 or later.\n\n### Patches\n\nThis vulnerability has been fixed in CodeQL Action version 3.28.3, which no longer uploads database artifacts in debug mode.\nThis vulnerability will be fixed in CodeQL CLI version 2.20.3, in which database creation for all languages no longer logs the complete environment by default.\n\n### References\n\n- [Pull request that bundled CodeQL CLI 2.9.2 with Kotlin extractor environment variable logging ](https://github.com/github/codeql-action/pull/1074)\n- [Pull request that introduced the `actions/artifacts v4` library, allowing for `GITHUB_TOKEN` exposure in the CodeQL Action debug artifacts before the token was revoked](https://github.com/github/codeql-action/pull/2482)\n- [Related security advisory for the CodeQL CLI](https://github.com/github/codeql-cli-binaries/security/advisories/GHSA-gqh3-9prg-j95m)",
"id": "GHSA-vqf5-2xx6-9wfm",
"modified": "2025-03-31T21:55:42Z",
"published": "2025-01-24T18:44:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/github/codeql-action/security/advisories/GHSA-vqf5-2xx6-9wfm"
},
{
"type": "WEB",
"url": "https://github.com/github/codeql-cli-binaries/security/advisories/GHSA-gqh3-9prg-j95m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24362"
},
{
"type": "WEB",
"url": "https://github.com/github/codeql-action/pull/1074"
},
{
"type": "WEB",
"url": "https://github.com/github/codeql-action/pull/2482"
},
{
"type": "WEB",
"url": "https://github.com/github/codeql-action/commit/519de26711ecad48bde264c51e414658a82ef3fa"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning/logs-not-detailed-enough"
},
{
"type": "PACKAGE",
"url": "https://github.com/github/codeql-action"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=43527044"
},
{
"type": "WEB",
"url": "https://www.praetorian.com/blog/codeqleaked-public-secrets-exposure-leads-to-supply-chain-attack-on-github-codeql"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "GitHub PAT written to debug artifacts"
}
GHSA-VRHQ-HX93-3CXP
Vulnerability from github – Published: 2021-11-30 00:00 – Updated: 2022-07-13 00:01Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read application log files containing sensitive information via a predictable /log URI.
{
"affected": [],
"aliases": [
"CVE-2021-38283"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-29T08:15:00Z",
"severity": "HIGH"
},
"details": "Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read application log files containing sensitive information via a predictable /log URI.",
"id": "GHSA-vrhq-hx93-3cxp",
"modified": "2022-07-13T00:01:34Z",
"published": "2021-11-30T00:00:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38283"
},
{
"type": "WEB",
"url": "https://www.wipro.com/holmes"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165031/Wipro-Holmes-Orchestrator-20.4.1-File-Disclosure.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VRXH-2FG8-68V6
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12OpenEMR 6.0.0 has a pnotes_print.php?noteid= Insecure Direct Object Reference vulnerability via which an attacker can read the messages of all users.
{
"affected": [],
"aliases": [
"CVE-2021-40352"
],
"database_specific": {
"cwe_ids": [
"CWE-532",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-01T13:15:00Z",
"severity": "MODERATE"
},
"details": "OpenEMR 6.0.0 has a pnotes_print.php?noteid= Insecure Direct Object Reference vulnerability via which an attacker can read the messages of all users.",
"id": "GHSA-vrxh-2fg8-68v6",
"modified": "2022-05-24T19:12:48Z",
"published": "2022-05-24T19:12:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40352"
},
{
"type": "WEB",
"url": "https://github.com/allenenosh/CVE-2021-40352"
},
{
"type": "WEB",
"url": "https://www.open-emr.org/wiki/index.php/Securing_OpenEMR"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/164011/OpenEMR-6.0.0-Insecure-Direct-Object-Reference.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VV5C-28GH-C3H3
Vulnerability from github – Published: 2025-09-16 00:30 – Updated: 2025-11-03 21:34A logging issue was addressed with improved data redaction. This issue is fixed in tvOS 26, watchOS 26, visionOS 26, macOS Tahoe 26, iOS 26 and iPadOS 26. An app may be able to access sensitive user data.
{
"affected": [],
"aliases": [
"CVE-2025-43303"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T23:15:33Z",
"severity": "MODERATE"
},
"details": "A logging issue was addressed with improved data redaction. This issue is fixed in tvOS 26, watchOS 26, visionOS 26, macOS Tahoe 26, iOS 26 and iPadOS 26. An app may be able to access sensitive user data.",
"id": "GHSA-vv5c-28gh-c3h3",
"modified": "2025-11-03T21:34:29Z",
"published": "2025-09-16T00:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43303"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125108"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125110"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125114"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125115"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125116"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Sep/53"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Sep/57"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Sep/58"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VVGC-XRW5-PCGG
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:26IBM FileNet Content Manager 5.5.2 and 5.5.3 in specific configurations, could log the web service user credentials into a log file that could be accessed by an administrator on the local machine. IBM X-Force ID: 166798.
{
"affected": [],
"aliases": [
"CVE-2019-4572"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-14T14:15:00Z",
"severity": "MODERATE"
},
"details": "IBM FileNet Content Manager 5.5.2 and 5.5.3 in specific configurations, could log the web service user credentials into a log file that could be accessed by an administrator on the local machine. IBM X-Force ID: 166798.",
"id": "GHSA-vvgc-xrw5-pcgg",
"modified": "2024-04-04T02:26:24Z",
"published": "2022-05-24T16:58:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4572"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/166798"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/1072042"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VVP6-473X-332G
Vulnerability from github – Published: 2026-02-09 12:30 – Updated: 2026-02-09 12:30In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs
{
"affected": [],
"aliases": [
"CVE-2026-25846"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-09T11:16:14Z",
"severity": "MODERATE"
},
"details": "In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs",
"id": "GHSA-vvp6-473x-332g",
"modified": "2026-02-09T12:30:22Z",
"published": "2026-02-09T12:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25846"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VVQF-7QF9-P8Q9
Vulnerability from github – Published: 2023-02-24 15:30 – Updated: 2023-03-03 18:30IBM Maximo Application Suite 8.8.0 and 8.9.0 stores potentially sensitive information that could be read by a local user. IBM X-Force ID: 241584.
{
"affected": [],
"aliases": [
"CVE-2022-43923"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-24T15:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Maximo Application Suite 8.8.0 and 8.9.0 stores potentially sensitive information that could be read by a local user. IBM X-Force ID: 241584.",
"id": "GHSA-vvqf-7qf9-p8q9",
"modified": "2023-03-03T18:30:26Z",
"published": "2023-02-24T15:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43923"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/241584"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6957654"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VVVP-PX4M-56P7
Vulnerability from github – Published: 2021-11-30 00:00 – Updated: 2021-12-01 00:00Sensitive information could be logged. The following products are affected: Acronis Agent (Windows, Linux, macOS) before build 27147
{
"affected": [],
"aliases": [
"CVE-2021-34800"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-29T20:15:00Z",
"severity": "HIGH"
},
"details": "Sensitive information could be logged. The following products are affected: Acronis Agent (Windows, Linux, macOS) before build 27147",
"id": "GHSA-vvvp-px4m-56p7",
"modified": "2021-12-01T00:00:43Z",
"published": "2021-11-30T00:00:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34800"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-3145"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VW58-PH65-6RXP
Vulnerability from github – Published: 2025-04-14 15:20 – Updated: 2025-04-14 15:20Summary
Access token from query string is not redacted and is potentially exposed in system logs which may be persisted.
Details
The access token in req.query is not redacted when the LOG_STYLE is set to raw. If these logs are not properly sanitized or protected, an attacker with access to it can potentially gain administrative control, leading to unauthorized data access and manipulation.
PoC
- Set
LOG_LEVEL="raw"in the environment. - Send a request with the
access_tokenin the query string. - Notice that the
access_tokeninreq.queryis not redacted.
Impact
It impacts systems where the LOG_STYLE is set to raw. The access_token in the query could potentially be a long-lived static token. Users with impacted systems should rotate their static tokens if they were provided using query string.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@directus/api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "21.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-47822"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-14T15:20:40Z",
"nvd_published_at": "2024-10-08T18:15:31Z",
"severity": "MODERATE"
},
"details": "### Summary\nAccess token from query string is not redacted and is potentially exposed in system logs which may be persisted.\n\n### Details\nThe access token in `req.query` is not redacted when the `LOG_STYLE` is set to `raw`. If these logs are not properly sanitized or protected, an attacker with access to it can potentially gain administrative control, leading to unauthorized data access and manipulation.\n\n### PoC\n1. Set `LOG_LEVEL=\"raw\"` in the environment.\n2. Send a request with the `access_token` in the query string.\n3. Notice that the `access_token` in `req.query` is not redacted.\n\n### Impact\nIt impacts systems where the `LOG_STYLE` is set to `raw`. The `access_token` in the query could potentially be a long-lived static token. Users with impacted systems should rotate their static tokens if they were provided using query string.",
"id": "GHSA-vw58-ph65-6rxp",
"modified": "2025-04-14T15:20:41Z",
"published": "2025-04-14T15:20:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-vw58-ph65-6rxp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47822"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/commit/2e893f9c576d5a02506272fe2c0bcc12e6c58768"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Directus inserts access token from query string into logs"
}
GHSA-VWCH-G97W-HFG2
Vulnerability from github – Published: 2024-01-03 16:14 – Updated: 2024-07-08 19:36CubeFS was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves.
There is no evidence of this vulnerability being exploited in the wild. It was found during an ongoing security audit carried out by Ada Logics in collaboration with OSTIF and the CNCF.
The issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/cubefs/cubefs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46742"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-03T16:14:54Z",
"nvd_published_at": "2024-01-03T17:15:11Z",
"severity": "MODERATE"
},
"details": "CubeFS was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves. \n\nThere is no evidence of this vulnerability being exploited in the wild. It was found during an ongoing security audit carried out by [Ada Logics](https://adalogics.com/) in collaboration with [OSTIF](https://ostif.org/) and the [CNCF](https://www.cncf.io/).\n\nThe issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS.",
"id": "GHSA-vwch-g97w-hfg2",
"modified": "2024-07-08T19:36:05Z",
"published": "2024-01-03T16:14:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cubefs/cubefs/security/advisories/GHSA-vwch-g97w-hfg2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46742"
},
{
"type": "WEB",
"url": "https://github.com/cubefs/cubefs/commit/8dccce6ac8dff3db44d7e9074094c7303a5ff5dd"
},
{
"type": "PACKAGE",
"url": "https://github.com/cubefs/cubefs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "CubeFS leaks users key in logs"
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.