CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1744 vulnerabilities reference this CWE, most recent first.
GHSA-27R7-3M9X-R533
Vulnerability from github – Published: 2025-08-26 16:19 – Updated: 2025-08-29 21:03Impact
A vulnerability exists where sensitive information, such as OAuth tokens, is recorded in log files when an error occurs during the execution of an SQL query. An attacker could intentionally trigger an SQL error by methods such as placing a high load on the database. This could allow an attacker who has the authority to view the log files to illicitly acquire the recorded sensitive information.
Patch
This vulnerability was temporarily fixed by #2787 and will be completely resolved by #2788.
This issue may have caused OAuth tokens to be leaked to users who can view logs on traQ instances using versions prior to v3.25.0.
While it is possible that OAuth tokens for both human users and Bots were leaked, revoking Bot access tokens is not recommended as it may cause errors. This issue will be resolved in a future update.
Currently, the recommended mitigation is to invalidate the OAuth tokens of human users only. To apply this measure, please execute the following SQL statement directly:
UPDATE oauth2_tokens SET deleted_at = NOW() WHERE deleted_at IS NULL AND scopes != "bot"
Workaround
If you cannot apply the update immediately, as a temporary workaround, please review access permissions for SQL error logs and strictly limit access to prevent unauthorized users from viewing them.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/traPtitech/traQ"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.25.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-57813"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-26T16:19:41Z",
"nvd_published_at": "2025-08-26T16:15:38Z",
"severity": "MODERATE"
},
"details": "### Impact\nA vulnerability exists where sensitive information, such as OAuth tokens, is recorded in log files when an error occurs during the execution of an SQL query.\nAn attacker could intentionally trigger an SQL error by methods such as placing a high load on the database. This could allow an attacker who has the authority to view the log files to illicitly acquire the recorded sensitive information.\n\n### Patch\nThis vulnerability was temporarily fixed by #2787 and will be completely resolved by #2788. \n\nThis issue may have caused OAuth tokens to be leaked to users who can view logs on traQ instances using versions prior to v3.25.0.\n\nWhile it is possible that OAuth tokens for both human users and Bots were leaked, revoking Bot access tokens is not recommended as it may cause errors. This issue will be resolved in a future update.\n\nCurrently, the recommended mitigation is to invalidate the OAuth tokens of human users only. To apply this measure, please execute the following SQL statement directly:\n```sql\nUPDATE oauth2_tokens SET deleted_at = NOW() WHERE deleted_at IS NULL AND scopes != \"bot\"\n```\n\n### Workaround\nIf you cannot apply the update immediately, as a temporary workaround, please review access permissions for SQL error logs and strictly limit access to prevent unauthorized users from viewing them.",
"id": "GHSA-27r7-3m9x-r533",
"modified": "2025-08-29T21:03:36Z",
"published": "2025-08-26T16:19:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/traPtitech/traQ/security/advisories/GHSA-27r7-3m9x-r533"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57813"
},
{
"type": "WEB",
"url": "https://github.com/traPtitech/traQ/pull/2787"
},
{
"type": "WEB",
"url": "https://github.com/traPtitech/traQ/pull/2788"
},
{
"type": "WEB",
"url": "https://github.com/traPtitech/traQ/commit/ce5da94f5d5a8348f9ecdc82140b6f53b3721698"
},
{
"type": "PACKAGE",
"url": "https://github.com/traPtitech/traQ"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3913"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "traQ Allows Insertion of Sensitive Information into Log File"
}
GHSA-27RQ-4943-QCWP
Vulnerability from github – Published: 2022-04-28 00:00 – Updated: 2022-06-02 17:38The Hashicorp go-getter library before 1.5.11 could write SSH credentials into its logfile, exposing sensitive credentials to local users able to read the logfile.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/go-getter"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-29810"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-03T20:19:26Z",
"nvd_published_at": "2022-04-27T06:15:00Z",
"severity": "MODERATE"
},
"details": "The Hashicorp go-getter library before 1.5.11 could write SSH credentials into its logfile, exposing sensitive credentials to local users able to read the logfile.",
"id": "GHSA-27rq-4943-qcwp",
"modified": "2022-06-02T17:38:26Z",
"published": "2022-04-28T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29810"
},
{
"type": "WEB",
"url": "https://github.com/hashicorp/go-getter/pull/348"
},
{
"type": "WEB",
"url": "https://github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5da49cc"
},
{
"type": "PACKAGE",
"url": "https://github.com/hashicorp/go-getter"
},
{
"type": "WEB",
"url": "https://github.com/hashicorp/go-getter/releases/tag/v1.5.11"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0438"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Insertion of Sensitive Information into Log File in Hashicorp go-getter"
}
GHSA-27W6-8M77-X3QF
Vulnerability from github – Published: 2024-04-10 18:30 – Updated: 2025-04-08 18:34Insertion of Sensitive Information into Log File vulnerability in WebToffee WordPress Backup & Migration.This issue affects WordPress Backup & Migration: from n/a through 1.4.7.
{
"affected": [],
"aliases": [
"CVE-2024-31254"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-10T16:15:13Z",
"severity": "LOW"
},
"details": "Insertion of Sensitive Information into Log File vulnerability in WebToffee WordPress Backup \u0026 Migration.This issue affects WordPress Backup \u0026 Migration: from n/a through 1.4.7.",
"id": "GHSA-27w6-8m77-x3qf",
"modified": "2025-04-08T18:34:11Z",
"published": "2024-04-10T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31254"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/wp-migration-duplicator/wordpress-wordpress-backup-migration-plugin-1-4-7-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2826-9VPV-CRX3
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2023-03-01 18:31GitLab CE/EE, versions 8.0 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, would log access tokens in the Workhorse logs, permitting administrators with access to the logs to see another user's token.
{
"affected": [],
"aliases": [
"CVE-2018-19583"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-10T17:15:00Z",
"severity": "MODERATE"
},
"details": "GitLab CE/EE, versions 8.0 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, would log access tokens in the Workhorse logs, permitting administrators with access to the logs to see another user\u0027s token.",
"id": "GHSA-2826-9vpv-crx3",
"modified": "2023-03-01T18:31:02Z",
"published": "2022-05-24T16:49:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19583"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab-workhorse/issues/182"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/109166"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2844-PFQ3-9X4M
Vulnerability from github – Published: 2025-07-07 15:30 – Updated: 2025-07-07 15:30An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error conditions are encountered. This issue affects MongoDB Server v8.0 versions prior to 8.0.5, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v6.0 versions prior to 6.0.21.
{
"affected": [],
"aliases": [
"CVE-2025-6711"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-07T15:15:28Z",
"severity": "MODERATE"
},
"details": "An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error conditions are encountered. This issue affects MongoDB Server v8.0 versions prior to 8.0.5, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v6.0 versions prior to 6.0.21.",
"id": "GHSA-2844-pfq3-9x4m",
"modified": "2025-07-07T15:30:40Z",
"published": "2025-07-07T15:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6711"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/SERVER-98720"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-286M-RX96-29M7
Vulnerability from github – Published: 2022-05-14 03:05 – Updated: 2025-04-20 03:32The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in the Linux kernel before 4.9.5 places uninitialized heap-memory contents into a log entry upon a failure to read the line status, which allows local users to obtain sensitive information by reading the log.
{
"affected": [],
"aliases": [
"CVE-2017-5549"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-06T06:59:00Z",
"severity": "MODERATE"
},
"details": "The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in the Linux kernel before 4.9.5 places uninitialized heap-memory contents into a log entry upon a failure to read the line status, which allows local users to obtain sensitive information by reading the log.",
"id": "GHSA-286m-rx96-29m7",
"modified": "2025-04-20T03:32:24Z",
"published": "2022-05-14T03:05:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5549"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/146cc8a17a3b4996f6805ee5c080e7101277c410"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1416114"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3754-1"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=146cc8a17a3b4996f6805ee5c080e7101277c410"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3791"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2017/01/21/3"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95715"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2874-9WC2-224F
Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33ovirt-engine up to version 4.2.3 is vulnerable to an unfiltered password when choosing manual db provisioning. When engine-setup was run and one chooses to provision the database manually or connect to a remote database, the password input was logged in cleartext during the verification step. Sharing the provisioning log might inadvertently leak database passwords.
{
"affected": [],
"aliases": [
"CVE-2018-1075"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-12T13:29:00Z",
"severity": "HIGH"
},
"details": "ovirt-engine up to version 4.2.3 is vulnerable to an unfiltered password when choosing manual db provisioning. When engine-setup was run and one chooses to provision the database manually or connect to a remote database, the password input was logged in cleartext during the verification step. Sharing the provisioning log might inadvertently leak database passwords.",
"id": "GHSA-2874-9wc2-224f",
"modified": "2022-05-13T01:33:34Z",
"published": "2022-05-13T01:33:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1075"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2071"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2018-1075"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1542508"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1075"
},
{
"type": "WEB",
"url": "https://gerrit.ovirt.org/#/c/91653"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-28H8-8GFR-GWWM
Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2024-04-04 07:54Screenshot vulnerability in the input module. Successful exploitation of this vulnerability may affect confidentiality.
{
"affected": [],
"aliases": [
"CVE-2023-41308"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-27T15:19:28Z",
"severity": "HIGH"
},
"details": "Screenshot vulnerability in the input module. Successful exploitation of this vulnerability may affect confidentiality.",
"id": "GHSA-28h8-8gfr-gwwm",
"modified": "2024-04-04T07:54:09Z",
"published": "2023-09-27T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41308"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2023/9"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202309-0000001638925158"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2939-PQMR-4866
Vulnerability from github – Published: 2022-05-14 03:08 – Updated: 2022-05-14 03:08GreenCMS 2.3.0603 allows remote attackers to obtain sensitive information via a direct request for Data/Log/year_month_day.log.
{
"affected": [],
"aliases": [
"CVE-2018-12604"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-20T19:29:00Z",
"severity": "HIGH"
},
"details": "GreenCMS 2.3.0603 allows remote attackers to obtain sensitive information via a direct request for Data/Log/year_month_day.log.",
"id": "GHSA-2939-pqmr-4866",
"modified": "2022-05-14T03:08:36Z",
"published": "2022-05-14T03:08:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12604"
},
{
"type": "WEB",
"url": "https://github.com/GreenCMS/GreenCMS/issues/110"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44922"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-29HX-HV84-8WCQ
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2.
{
"affected": [],
"aliases": [
"CVE-2021-3447"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-01T18:15:00Z",
"severity": null
},
"details": "A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2.",
"id": "GHSA-29hx-hv84-8wcq",
"modified": "2022-05-24T17:46:06Z",
"published": "2022-05-24T17:46:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3447"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939349"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MS4VPUYVLGSAKOX26IT52BSMEZRZ3KS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBZ75MAMVQVZROPYHMRDQKPPVASP63DG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RUTGO4RS4ZXZSPBU2CHVPT75IAFVTTL3"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.