Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1744 vulnerabilities reference this CWE, most recent first.

CVE-2023-4380 (GCVE-0-2023-4380)

Vulnerability from cvelistv5 – Published: 2023-10-04 14:24 – Updated: 2025-11-20 18:27
VLAI
Title
Platform: token exposed at importing project
Summary
A logic flaw exists in Ansible Automation platform. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability.
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
URL Tags
https://access.redhat.com/errata/RHSA-2023:4693 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-4380 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2232324 issue-trackingx_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat Red Hat Ansible Automation Platform 2.4 for RHEL 8 Unaffected: 0:1.0.1-1.el8ap , < * (rpm)
    cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9
    cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9
    cpe:/a:redhat:ansible_automation_platform:2.4::el8
    cpe:/a:redhat:ansible_automation_platform:2.4::el9
    cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8
    cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8
Create a notification for this product.
Red Hat Red Hat Ansible Automation Platform 2.4 for RHEL 9 Unaffected: 0:1.0.1-1.el9ap , < * (rpm)
    cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9
    cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9
    cpe:/a:redhat:ansible_automation_platform:2.4::el8
    cpe:/a:redhat:ansible_automation_platform:2.4::el9
    cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8
    cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8
Create a notification for this product.
Date Public
2023-08-16 10:05
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:24:04.616Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2023:4693",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:4693"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-4380"
          },
          {
            "name": "RHBZ#2232324",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2232324"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9",
            "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9",
            "cpe:/a:redhat:ansible_automation_platform:2.4::el8",
            "cpe:/a:redhat:ansible_automation_platform:2.4::el9",
            "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8",
            "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "automation-eda-controller",
          "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.0.1-1.el8ap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9",
            "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9",
            "cpe:/a:redhat:ansible_automation_platform:2.4::el8",
            "cpe:/a:redhat:ansible_automation_platform:2.4::el9",
            "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8",
            "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "automation-eda-controller",
          "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.0.1-1.el9ap",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "datePublic": "2023-08-16T10:05:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A logic flaw exists in Ansible Automation platform. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-20T18:27:32.482Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2023:4693",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:4693"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-4380"
        },
        {
          "name": "RHBZ#2232324",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2232324"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-08-16T00:00:00.000Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-08-16T10:05:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Platform: token exposed at importing project",
      "x_redhatCweChain": "CWE-532: Insertion of Sensitive Information into Log File"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-4380",
    "datePublished": "2023-10-04T14:24:35.121Z",
    "dateReserved": "2023-08-16T10:02:36.139Z",
    "dateUpdated": "2025-11-20T18:27:32.482Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-4108 (GCVE-0-2023-4108)

Vulnerability from cvelistv5 – Published: 2023-08-11 06:12 – Updated: 2024-10-03 20:27
VLAI
Title
Audit logging fails to sanitize post metadata
Summary
Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
Impacted products
Vendor Product Version
Mattermost Mattermost Affected: 0 , ≤ 7.8.7 (semver)
Affected: 0 , ≤ 7.9.5 (semver)
Affected: 0 , ≤ 7.10.3 (semver)
Unaffected: 7.8.8
Unaffected: 7.9.6
Unaffected: 7.10.4
Create a notification for this product.
Credits
Jo Astoreca
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:17:11.944Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://mattermost.com/security-updates"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-4108",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-03T20:27:41.174946Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-03T20:27:59.225Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Mattermost",
          "vendor": "Mattermost",
          "versions": [
            {
              "lessThanOrEqual": "7.8.7",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.9.5",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.10.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "7.8.8"
            },
            {
              "status": "unaffected",
              "version": "7.9.6"
            },
            {
              "status": "unaffected",
              "version": "7.10.4"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Jo Astoreca"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMattermost fails to sanitize post metadata during audit logging resulting in p\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eermalinks contents being logged\u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532 Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-11T06:12:33.792Z",
        "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "shortName": "Mattermost"
      },
      "references": [
        {
          "url": "https://mattermost.com/security-updates"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUpdate Mattermost Server to versions 7.8.8, 7.9.6, 7.10.4 or higher.\u003c/p\u003e"
            }
          ],
          "value": "Update Mattermost Server to versions 7.8.8, 7.9.6, 7.10.4 or higher.\n\n"
        }
      ],
      "source": {
        "advisory": "MMSA-2023-00214",
        "defect": [
          "https://mattermost.atlassian.net/browse/MM-53157"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Audit logging fails to sanitize post metadata",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
    "assignerShortName": "Mattermost",
    "cveId": "CVE-2023-4108",
    "datePublished": "2023-08-11T06:12:33.792Z",
    "dateReserved": "2023-08-02T15:36:24.635Z",
    "dateUpdated": "2024-10-03T20:27:59.225Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-3993 (GCVE-0-2023-3993)

Vulnerability from cvelistv5 – Published: 2023-08-02 00:07 – Updated: 2024-10-03 06:23
VLAI
Title
Insertion of Sensitive Information into Log File in GitLab
Summary
An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Access tokens may have been logged when a query was made to a specific endpoint.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
URL Tags
https://gitlab.com/gitlab-org/gitlab/-/issues/409570 issue-trackingpermissions-required
Impacted products
Vendor Product Version
GitLab GitLab Affected: 14.3 , < 16.0.8 (semver)
Affected: 16.1 , < 16.1.3 (semver)
Affected: 16.2 , < 16.2.2 (semver)
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
This vulnerability was discovered internally by GitLab team member [@mjozenazemian](https://gitlab.com/mjozenazemian).
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:08:50.764Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "GitLab Issue #409570",
            "tags": [
              "issue-tracking",
              "permissions-required",
              "x_transferred"
            ],
            "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/409570"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-3993",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-30T15:41:18.693629Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-30T15:41:31.006Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "GitLab",
          "repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
          "vendor": "GitLab",
          "versions": [
            {
              "lessThan": "16.0.8",
              "status": "affected",
              "version": "14.3",
              "versionType": "semver"
            },
            {
              "lessThan": "16.1.3",
              "status": "affected",
              "version": "16.1",
              "versionType": "semver"
            },
            {
              "lessThan": "16.2.2",
              "status": "affected",
              "version": "16.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This vulnerability was discovered internally by GitLab team member [@mjozenazemian](https://gitlab.com/mjozenazemian)."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Access tokens may have been logged when a query was made to a specific endpoint."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-03T06:23:13.637Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "name": "GitLab Issue #409570",
          "tags": [
            "issue-tracking",
            "permissions-required"
          ],
          "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/409570"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to versions 16.2.2, 16.1.3, 16.0.8 or above."
        }
      ],
      "title": "Insertion of Sensitive Information into Log File in GitLab"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2023-3993",
    "datePublished": "2023-08-02T00:07:00.242Z",
    "dateReserved": "2023-07-28T09:01:21.622Z",
    "dateUpdated": "2024-10-03T06:23:13.637Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-3363 (GCVE-0-2023-3363)

Vulnerability from cvelistv5 – Published: 2023-07-13 02:08 – Updated: 2024-11-05 15:14
VLAI
Title
Insertion of Sensitive Information into Log File in GitLab
Summary
An information disclosure issue in Gitlab CE/EE affecting all versions from 13.6 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1, resulted in the Sidekiq log including webhook tokens when the log format was set to `default`.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
Impacted products
Vendor Product Version
GitLab GitLab Affected: 13.6 , < 15.11.10 (semver)
Affected: 16.0 , < 16.0.6 (semver)
Affected: 16.1 , < 16.1.1 (semver)
Create a notification for this product.
Credits
This vulnerability was reported by Martin Vaisset from MyMoneyBank
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T06:55:02.594Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "GitLab Issue #409034",
            "tags": [
              "issue-tracking",
              "x_transferred"
            ],
            "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/409034"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-3363",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-05T15:13:58.915898Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-05T15:14:10.202Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "GitLab",
          "repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
          "vendor": "GitLab",
          "versions": [
            {
              "lessThan": "15.11.10",
              "status": "affected",
              "version": "13.6",
              "versionType": "semver"
            },
            {
              "lessThan": "16.0.6",
              "status": "affected",
              "version": "16.0",
              "versionType": "semver"
            },
            {
              "lessThan": "16.1.1",
              "status": "affected",
              "version": "16.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This vulnerability was reported by Martin Vaisset from MyMoneyBank"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An information disclosure issue in Gitlab CE/EE affecting all versions from 13.6 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1, resulted in the Sidekiq log including webhook tokens when the log format was set to `default`."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 3.9,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-13T02:08:35.069Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "name": "GitLab Issue #409034",
          "tags": [
            "issue-tracking"
          ],
          "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/409034"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to versions 15.11.10, 16.0.6, 16.1.1 or above."
        }
      ],
      "title": "Insertion of Sensitive Information into Log File in GitLab"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2023-3363",
    "datePublished": "2023-07-13T02:08:35.069Z",
    "dateReserved": "2023-06-22T01:14:48.593Z",
    "dateUpdated": "2024-11-05T15:14:10.202Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-3335 (GCVE-0-2023-3335)

Vulnerability from cvelistv5 – Published: 2023-10-03 01:02 – Updated: 2024-08-02 06:55
VLAI
Title
Information Exposure Vulnerability in Hitachi Ops Center Administrator
Summary
Insertion of Sensitive Information into Log File vulnerability in Hitachi Ops Center Administrator on Linux allows local users  to gain sensitive information.This issue affects Hitachi Ops Center Administrator: before 10.9.3-00.
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
Impacted products
Vendor Product Version
Hitachi Hitachi Ops Center Administrator Affected: 0 , < 10.9.3-00 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T06:55:02.617Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-140/index.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "Hitachi Ops Center Administrator",
          "vendor": "Hitachi",
          "versions": [
            {
              "changes": [
                {
                  "at": "10.9.3-00",
                  "status": "unaffected"
                }
              ],
              "lessThan": "10.9.3-00",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Insertion of Sensitive Information into Log File vulnerability in Hitachi Ops Center Administrator on Linux allows local users\u0026nbsp; to gain sensitive information.\u003cp\u003eThis issue affects Hitachi Ops Center Administrator: before 10.9.3-00.\u003c/p\u003e"
            }
          ],
          "value": "Insertion of Sensitive Information into Log File vulnerability in Hitachi Ops Center Administrator on Linux allows local users\u00a0 to gain sensitive information.This issue affects Hitachi Ops Center Administrator: before 10.9.3-00.\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-114",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-114 Authentication Abuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532 Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-07T03:30:28.949Z",
        "orgId": "50d0f415-c707-4733-9afc-8f6c0e9b3f82",
        "shortName": "Hitachi"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-140/index.html"
        }
      ],
      "source": {
        "advisory": "hitachi-sec-2023-140",
        "discovery": "UNKNOWN"
      },
      "title": "Information Exposure Vulnerability in Hitachi Ops Center Administrator",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "50d0f415-c707-4733-9afc-8f6c0e9b3f82",
    "assignerShortName": "Hitachi",
    "cveId": "CVE-2023-3335",
    "datePublished": "2023-10-03T01:02:47.466Z",
    "dateReserved": "2023-06-20T07:02:24.702Z",
    "dateUpdated": "2024-08-02T06:55:02.617Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-2878 (GCVE-0-2023-2878)

Vulnerability from cvelistv5 – Published: 2023-06-07 14:35 – Updated: 2025-02-13 16:48
VLAI
Title
Kubernetes secrets-store-csi-driver discloses service account tokens in logs
Summary
Kubernetes secrets-store-csi-driver in versions before 1.3.3 discloses service account tokens in logs.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
Impacted products
Vendor Product Version
Kubernetes secrets-store-csi-driver Affected: 0 , < 1.3.3 (semver)
Unaffected: 1.3.3
Create a notification for this product.
Date Public
2023-05-25 04:00
Credits
Tomer Shaiman
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T06:41:02.447Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "issue-tracking",
              "x_transferred"
            ],
            "url": "https://github.com/kubernetes/kubernetes/issues/118419"
          },
          {
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/kubernetes-security-announce/c/5K8ghQHBDdQ/m/Udee6YUgAAAJ"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230814-0003/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-2878",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-06T21:04:21.178942Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-06T21:04:31.624Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "secrets-store-csi-driver",
          "repo": "https://github.com/kubernetes-sigs/secrets-store-csi-driver",
          "vendor": "Kubernetes",
          "versions": [
            {
              "lessThan": "1.3.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "1.3.3"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Tomer Shaiman"
        }
      ],
      "datePublic": "2023-05-25T04:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Kubernetes secrets-store-csi-driver in versions before 1.3.3 discloses service account tokens in logs.\u003cbr\u003e"
            }
          ],
          "value": "Kubernetes secrets-store-csi-driver in versions before 1.3.3 discloses service account tokens in logs."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532 Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-14T18:06:17.787Z",
        "orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
        "shortName": "kubernetes"
      },
      "references": [
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/kubernetes/kubernetes/issues/118419"
        },
        {
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/kubernetes-security-announce/c/5K8ghQHBDdQ/m/Udee6YUgAAAJ"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230814-0003/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Kubernetes secrets-store-csi-driver discloses service account tokens in logs",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003ePrior to upgrading, this vulnerability can be mitigated by running secrets-store-csi-driver at log level 0 or 1 via the -v flag.\u003c/p\u003e"
            }
          ],
          "value": "Prior to upgrading, this vulnerability can be mitigated by running secrets-store-csi-driver at log level 0 or 1 via the -v flag."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
    "assignerShortName": "kubernetes",
    "cveId": "CVE-2023-2878",
    "datePublished": "2023-06-07T14:35:10.295Z",
    "dateReserved": "2023-05-24T22:10:01.825Z",
    "dateUpdated": "2025-02-13T16:48:51.962Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-1786 (GCVE-0-2023-1786)

Vulnerability from cvelistv5 – Published: 2023-04-26 22:23 – Updated: 2025-02-13 16:39
VLAI
Title
sensitive data exposure in cloud-init logs
Summary
Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
Canonical Ltd. cloud-init Affected: 0 , < 23.1.2 (semver)
Create a notification for this product.
Date Public
2023-04-26 00:00
Credits
James Golovich
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T05:57:25.074Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://github.com/canonical/cloud-init/commit/a378b7e4f47375458651c0972e7cd813f6fe0a6b"
          },
          {
            "tags": [
              "issue-tracking",
              "x_transferred"
            ],
            "url": "https://bugs.launchpad.net/cloud-init/+bug/2013967"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://ubuntu.com/security/notices/USN-6042-1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ATBJSXPL2IOAD2LDQRKWPLIC7QXS44GZ/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-1786",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-31T19:16:40.437499Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-31T19:16:51.183Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/canonical/cloud-init/releases",
          "packageName": "cloud-init",
          "platforms": [
            "Linux"
          ],
          "product": "cloud-init",
          "repo": "https://github.com/canonical/cloud-init/",
          "vendor": "Canonical Ltd.",
          "versions": [
            {
              "lessThan": "23.1.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "James Golovich"
        }
      ],
      "datePublic": "2023-04-26T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-05-07T02:06:08.088Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/canonical/cloud-init/commit/a378b7e4f47375458651c0972e7cd813f6fe0a6b"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://bugs.launchpad.net/cloud-init/+bug/2013967"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://ubuntu.com/security/notices/USN-6042-1"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ATBJSXPL2IOAD2LDQRKWPLIC7QXS44GZ/"
        }
      ],
      "title": "sensitive data exposure in cloud-init logs"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2023-1786",
    "datePublished": "2023-04-26T22:23:47.305Z",
    "dateReserved": "2023-03-31T20:40:07.757Z",
    "dateUpdated": "2025-02-13T16:39:30.230Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-1550 (GCVE-0-2023-1550)

Vulnerability from cvelistv5 – Published: 2023-03-29 16:34 – Updated: 2025-02-13 16:39
VLAI
Title
NGINX Agent vulnerability CVE-2023-1550
Summary
Insertion of Sensitive Information into log file vulnerability in NGINX Agent. NGINX Agent version 2.0 before 2.23.3 inserts sensitive information into a log file. An authenticated attacker with local access to read agent log files may gain access to private keys. This issue is only exposed when the non-default trace level logging is enabled. Note: NGINX Agent is included with NGINX Instance Manager and used in conjunction with NGINX API Connectivity Manager, and NGINX Management Suite Security Monitoring.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
f5
Impacted products
Vendor Product Version
F5 NGINX Agent Affected: 2.0 , < 2.23.3 (semver)
Create a notification for this product.
Date Public
2023-03-29 14:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T05:49:11.695Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://my.f5.com/manage/s/article/K000133135"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230511-0008/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-1550",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-12T16:15:06.608189Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T16:15:11.949Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "NGINX Agent",
          "repo": "https://github.com/nginx/agent/",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "2.23.3",
              "status": "affected",
              "version": "2.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Non-default trace level logging enabled."
            }
          ],
          "value": "Non-default trace level logging enabled."
        }
      ],
      "datePublic": "2023-03-29T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Insertion of Sensitive Information into log file vulnerability in NGINX Agent. NGINX Agent version 2.0 before 2.23.3 inserts sensitive information into a log file. An authenticated attacker with local access to read agent log files may gain access to private keys. This issue is only exposed when the non-default trace level logging is enabled. Note: NGINX Agent is included with NGINX Instance Manager and used in conjunction with NGINX API Connectivity Manager, and NGINX Management Suite Security Monitoring."
            }
          ],
          "value": "Insertion of Sensitive Information into log file vulnerability in NGINX Agent. NGINX Agent version 2.0 before 2.23.3 inserts sensitive information into a log file. An authenticated attacker with local access to read agent log files may gain access to private keys. This issue is only exposed when the non-default trace level logging is enabled. Note: NGINX Agent is included with NGINX Instance Manager and used in conjunction with NGINX API Connectivity Manager, and NGINX Management Suite Security Monitoring."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532 Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-05-11T14:06:33.377Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "url": "https://my.f5.com/manage/s/article/K000133135"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230511-0008/"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "NGINX Agent vulnerability CVE-2023-1550",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2023-1550",
    "datePublished": "2023-03-29T16:34:38.119Z",
    "dateReserved": "2023-03-21T16:43:56.998Z",
    "dateUpdated": "2025-02-13T16:39:29.086Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-0815 (GCVE-0-2023-0815)

Vulnerability from cvelistv5 – Published: 2023-02-23 14:52 – Updated: 2025-03-11 18:24
VLAI
Title
Plaintext Password Present in the Web logs
Summary
Potential Insertion of Sensitive Information into Jetty Log Files in multiple versions of OpenNMS Meridian and Horizon could allow disclosure of usernames and passwords if the logging level is set to debug. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
Impacted products
Vendor Product Version
The OpenNMS Group Meridian Affected: 2020.1.0 , < 2020.1.32 (git)
Affected: 2021.1.0 , < 2021.1.24 (git)
Affected: 2022.1.0 , < 2022.1.13 (git)
Create a notification for this product.
The OpenNMS Group Horizon Affected: 26.0.0 , < 31.0.4 (git)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T05:24:34.493Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/OpenNMS/opennms/pull/5741/files"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.opennms.com/meridian/2022/releasenotes/changelog.html#releasenotes-changelog-Meridian-2022.1.13"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-0815",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-11T18:24:22.248673Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-11T18:24:39.053Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "Jetty",
            "Log4j2"
          ],
          "platforms": [
            "Windows",
            "Linux",
            "MacOS"
          ],
          "product": "Meridian",
          "programFiles": [
            "https://github.com/OpenNMS/opennms/blob/develop/opennms-base-assembly/src/main/filtered/etc/log4j2.xml"
          ],
          "programRoutines": [
            {
              "name": "log4j2.xml"
            }
          ],
          "repo": "https://github.com/OpenNMS",
          "vendor": "The OpenNMS Group ",
          "versions": [
            {
              "lessThan": "2020.1.32",
              "status": "affected",
              "version": "2020.1.0",
              "versionType": "git"
            },
            {
              "lessThan": "2021.1.24",
              "status": "affected",
              "version": "2021.1.0",
              "versionType": "git"
            },
            {
              "lessThan": "2022.1.13",
              "status": "affected",
              "version": "2022.1.0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "modules": [
            "Jetty",
            "Log4j2"
          ],
          "platforms": [
            "Windows",
            "Linux",
            "MacOS"
          ],
          "product": "Horizon",
          "programFiles": [
            "https://github.com/OpenNMS/opennms/blob/develop/opennms-base-assembly/src/main/filtered/etc/log4j2.xml"
          ],
          "programRoutines": [
            {
              "name": "log4j2.xml"
            }
          ],
          "repo": "https://github.com/OpenNMS",
          "vendor": "The OpenNMS Group",
          "versions": [
            {
              "lessThan": "31.0.4",
              "status": "affected",
              "version": "26.0.0",
              "versionType": "git"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ePotential Insertion of Sensitive Information into \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eJetty Log Files in multiple versions of OpenNMS Meridian and Horizon could allow disclosure of usernames and passwords if the logging level is set to debug.\u0026nbsp;\u003c/span\u003eUsers\nshould upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and\nHorizon installation instructions state that they are intended for installation\nwithin an organization\u0027s private networks and should not be directly accessible\nfrom the Internet.\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cbr\u003e\n\n\n\n\n\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "Potential Insertion of Sensitive Information into Jetty Log Files in multiple versions of OpenNMS Meridian and Horizon could allow disclosure of usernames and passwords if the logging level is set to debug.\u00a0Users\nshould upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and\nHorizon installation instructions state that they are intended for installation\nwithin an organization\u0027s private networks and should not be directly accessible\nfrom the Internet.\n\n\n\n\n\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532 Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-27T18:58:26.046Z",
        "orgId": "70b007e9-5235-4ee5-90b5-a71a81beeda0",
        "shortName": "OpenNMS"
      },
      "references": [
        {
          "url": "https://github.com/OpenNMS/opennms/pull/5741/files"
        },
        {
          "url": "https://docs.opennms.com/meridian/2022/releasenotes/changelog.html#releasenotes-changelog-Meridian-2022.1.13"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003e\u0026lt;\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003elogger\u003c/span\u003e \u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003ename\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003e=\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003e\"\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003eorg.eclipse.jetty.server.HttpInput\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003e\"\u003c/span\u003e \u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003eadditivity\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003e=\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003e\"\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003efalse\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003e\"\u003c/span\u003e \u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003elevel\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003e=\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003e\"\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003eINFO\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003e\"\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003e\u0026gt;\u003c/span\u003e\n\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003e2\u003c/span\u003e \u003cbr\u003e \u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003e\u0026lt;\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003eappender-ref\u003c/span\u003e \u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003eref\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003e=\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003e\"\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003eRoutingAppender\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003e\"\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003e/\u0026gt;\u003c/span\u003e\n\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003e3\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003e\u0026lt;/\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003elogger\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 245, 247);\"\u003e\u0026gt;\u003cbr\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/OpenNMS/opennms/pull/5741\"\u003ehttps://github.com/OpenNMS/opennms/pull/5741\u003cbr\u003e\u003cbr\u003e\u003c/a\u003eor upgrade to a newer version of Meridian or Horizon. \u003cbr\u003e\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "\u003clogger name=\"org.eclipse.jetty.server.HttpInput\" additivity=\"false\" level=\"INFO\"\u003e\n2 \n \u003cappender-ref ref=\"RoutingAppender\"/\u003e\n3\n\u003c/logger\u003e\n\n https://github.com/OpenNMS/opennms/pull/5741\n\n https://github.com/OpenNMS/opennms/pull/5741 or upgrade to a newer version of Meridian or Horizon. \n\n"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Plaintext Password Present in the Web logs",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "70b007e9-5235-4ee5-90b5-a71a81beeda0",
    "assignerShortName": "OpenNMS",
    "cveId": "CVE-2023-0815",
    "datePublished": "2023-02-23T14:52:05.792Z",
    "dateReserved": "2023-02-13T18:59:43.516Z",
    "dateUpdated": "2025-03-11T18:24:39.053Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-0436 (GCVE-0-2023-0436)

Vulnerability from cvelistv5 – Published: 2023-11-07 11:44 – Updated: 2024-08-02 05:10
VLAI
Title
Secret logging may occur in debug mode of Atlas Operator
Summary
The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled. This issue affects MongoDB Atlas Kubernetes Operator versions: 1.5.0, 1.6.0, 1.6.1, 1.7.0. Please note that this is reported on an EOL version of the product, and users are advised to upgrade to the latest supported version. Required Configuration:  DEBUG logging is not enabled by default, and must be configured by the end-user. To check the log-level of the Operator, review the flags passed in your deployment configuration (eg. https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 )
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
Impacted products
Vendor Product Version
MongoDB Inc MongoDB Atlas Kubernetes Operator Affected: 1.5.0 , ≤ 1.7.0 (custom)
Create a notification for this product.
Date Public
2023-11-07 12:41
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T05:10:56.307Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/mongodb/mongodb-atlas-kubernetes/releases/tag/v1.7.1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "MongoDB Atlas Kubernetes Operator",
          "vendor": "MongoDB Inc",
          "versions": [
            {
              "lessThanOrEqual": "1.7.0",
              "status": "affected",
              "version": "1.5.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cb\u003eRequired Configuration:\u003c/b\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eDEBUG logging is not enabled by default, and must be configured by the end-user. To check the log-level of the Operator, review the flags passed in your deployment configuration (eg. \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27\"\u003ehttps://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27\u003c/a\u003e)\u003c/p\u003e"
            }
          ],
          "value": "Required Configuration:\u00a0\n\nDEBUG logging is not enabled by default, and must be configured by the end-user. To check the log-level of the Operator, review the flags passed in your deployment configuration (eg.  https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 )\n\n"
        }
      ],
      "datePublic": "2023-11-07T12:41:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled. This issue affects MongoDB Atlas Kubernetes Operator versions: 1.5.0, 1.6.0, 1.6.1, 1.7.0.\u003c/p\u003ePlease note that this is reported on an EOL version of the product, and users are advised to upgrade to the latest supported version.\u003cbr\u003e\u003cp\u003e\u003cb\u003eRequired Configuration:\u003c/b\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eDEBUG logging is not enabled by default, and must be configured by the end-user. To check the log-level of the Operator, review the flags passed in your deployment configuration (eg. \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27\"\u003ehttps://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27\u003c/a\u003e)\u003c/p\u003e"
            }
          ],
          "value": "The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled. This issue affects MongoDB Atlas Kubernetes Operator versions: 1.5.0, 1.6.0, 1.6.1, 1.7.0.\n\nPlease note that this is reported on an EOL version of the product, and users are advised to upgrade to the latest supported version.\nRequired Configuration:\u00a0\n\nDEBUG logging is not enabled by default, and must be configured by the end-user. To check the log-level of the Operator, review the flags passed in your deployment configuration (eg.  https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 )\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532 Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-07T11:44:47.971Z",
        "orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
        "shortName": "mongodb"
      },
      "references": [
        {
          "url": "https://github.com/mongodb/mongodb-atlas-kubernetes/releases/tag/v1.7.1"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Secret logging may occur in debug mode of Atlas Operator ",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
    "assignerShortName": "mongodb",
    "cveId": "CVE-2023-0436",
    "datePublished": "2023-11-07T11:44:47.971Z",
    "dateReserved": "2023-01-23T11:09:57.445Z",
    "dateUpdated": "2024-08-02T05:10:56.307Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.