Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1744 vulnerabilities reference this CWE, most recent first.

GHSA-27R7-3M9X-R533

Vulnerability from github – Published: 2025-08-26 16:19 – Updated: 2025-08-29 21:03
VLAI
Summary
traQ Allows Insertion of Sensitive Information into Log File
Details

Impact

A vulnerability exists where sensitive information, such as OAuth tokens, is recorded in log files when an error occurs during the execution of an SQL query. An attacker could intentionally trigger an SQL error by methods such as placing a high load on the database. This could allow an attacker who has the authority to view the log files to illicitly acquire the recorded sensitive information.

Patch

This vulnerability was temporarily fixed by #2787 and will be completely resolved by #2788.

This issue may have caused OAuth tokens to be leaked to users who can view logs on traQ instances using versions prior to v3.25.0.

While it is possible that OAuth tokens for both human users and Bots were leaked, revoking Bot access tokens is not recommended as it may cause errors. This issue will be resolved in a future update.

Currently, the recommended mitigation is to invalidate the OAuth tokens of human users only. To apply this measure, please execute the following SQL statement directly:

UPDATE oauth2_tokens SET deleted_at = NOW() WHERE deleted_at IS NULL AND scopes != "bot"

Workaround

If you cannot apply the update immediately, as a temporary workaround, please review access permissions for SQL error logs and strictly limit access to prevent unauthorized users from viewing them.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traPtitech/traQ"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.25.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-57813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-26T16:19:41Z",
    "nvd_published_at": "2025-08-26T16:15:38Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nA vulnerability exists where sensitive information, such as OAuth tokens, is recorded in log files when an error occurs during the execution of an SQL query.\nAn attacker could intentionally trigger an SQL error by methods such as placing a high load on the database. This could allow an attacker who has the authority to view the log files to illicitly acquire the recorded sensitive information.\n\n### Patch\nThis vulnerability was temporarily fixed by #2787 and will be completely resolved by #2788. \n\nThis issue may have caused OAuth tokens to be leaked to users who can view logs on traQ instances using versions prior to v3.25.0.\n\nWhile it is possible that OAuth tokens for both human users and Bots were leaked, revoking Bot access tokens is not recommended as it may cause errors. This issue will be resolved in a future update.\n\nCurrently, the recommended mitigation is to invalidate the OAuth tokens of human users only. To apply this measure, please execute the following SQL statement directly:\n```sql\nUPDATE oauth2_tokens SET deleted_at = NOW() WHERE deleted_at IS NULL AND scopes != \"bot\"\n```\n\n### Workaround\nIf you cannot apply the update immediately, as a temporary workaround, please review access permissions for SQL error logs and strictly limit access to prevent unauthorized users from viewing them.",
  "id": "GHSA-27r7-3m9x-r533",
  "modified": "2025-08-29T21:03:36Z",
  "published": "2025-08-26T16:19:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traPtitech/traQ/security/advisories/GHSA-27r7-3m9x-r533"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57813"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traPtitech/traQ/pull/2787"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traPtitech/traQ/pull/2788"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traPtitech/traQ/commit/ce5da94f5d5a8348f9ecdc82140b6f53b3721698"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traPtitech/traQ"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3913"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "traQ Allows Insertion of Sensitive Information into Log File"
}

GHSA-27RQ-4943-QCWP

Vulnerability from github – Published: 2022-04-28 00:00 – Updated: 2022-06-02 17:38
VLAI
Summary
Insertion of Sensitive Information into Log File in Hashicorp go-getter
Details

The Hashicorp go-getter library before 1.5.11 could write SSH credentials into its logfile, exposing sensitive credentials to local users able to read the logfile.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/go-getter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-29810"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-03T20:19:26Z",
    "nvd_published_at": "2022-04-27T06:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Hashicorp go-getter library before 1.5.11 could write SSH credentials into its logfile, exposing sensitive credentials to local users able to read the logfile.",
  "id": "GHSA-27rq-4943-qcwp",
  "modified": "2022-06-02T17:38:26Z",
  "published": "2022-04-28T00:00:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29810"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/go-getter/pull/348"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5da49cc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hashicorp/go-getter"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/go-getter/releases/tag/v1.5.11"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0438"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insertion of Sensitive Information into Log File in Hashicorp go-getter"
}

GHSA-27W6-8M77-X3QF

Vulnerability from github – Published: 2024-04-10 18:30 – Updated: 2025-04-08 18:34
VLAI
Details

Insertion of Sensitive Information into Log File vulnerability in WebToffee WordPress Backup & Migration.This issue affects WordPress Backup & Migration: from n/a through 1.4.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-10T16:15:13Z",
    "severity": "LOW"
  },
  "details": "Insertion of Sensitive Information into Log File vulnerability in WebToffee WordPress Backup \u0026 Migration.This issue affects WordPress Backup \u0026 Migration: from n/a through 1.4.7.",
  "id": "GHSA-27w6-8m77-x3qf",
  "modified": "2025-04-08T18:34:11Z",
  "published": "2024-04-10T18:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31254"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/wp-migration-duplicator/wordpress-wordpress-backup-migration-plugin-1-4-7-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2826-9VPV-CRX3

Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2023-03-01 18:31
VLAI
Details

GitLab CE/EE, versions 8.0 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, would log access tokens in the Workhorse logs, permitting administrators with access to the logs to see another user's token.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-19583"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-10T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "GitLab CE/EE, versions 8.0 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, would log access tokens in the Workhorse logs, permitting administrators with access to the logs to see another user\u0027s token.",
  "id": "GHSA-2826-9vpv-crx3",
  "modified": "2023-03-01T18:31:02Z",
  "published": "2022-05-24T16:49:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19583"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab-workhorse/issues/182"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/109166"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2844-PFQ3-9X4M

Vulnerability from github – Published: 2025-07-07 15:30 – Updated: 2025-07-07 15:30
VLAI
Details

An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error conditions are encountered. This issue affects MongoDB Server v8.0 versions prior to 8.0.5, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v6.0 versions prior to 6.0.21.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-6711"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-07T15:15:28Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error conditions are encountered. This issue affects MongoDB Server v8.0 versions prior to 8.0.5, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v6.0 versions prior to 6.0.21.",
  "id": "GHSA-2844-pfq3-9x4m",
  "modified": "2025-07-07T15:30:40Z",
  "published": "2025-07-07T15:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6711"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/SERVER-98720"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-286M-RX96-29M7

Vulnerability from github – Published: 2022-05-14 03:05 – Updated: 2025-04-20 03:32
VLAI
Details

The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in the Linux kernel before 4.9.5 places uninitialized heap-memory contents into a log entry upon a failure to read the line status, which allows local users to obtain sensitive information by reading the log.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-5549"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-06T06:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in the Linux kernel before 4.9.5 places uninitialized heap-memory contents into a log entry upon a failure to read the line status, which allows local users to obtain sensitive information by reading the log.",
  "id": "GHSA-286m-rx96-29m7",
  "modified": "2025-04-20T03:32:24Z",
  "published": "2022-05-14T03:05:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5549"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/146cc8a17a3b4996f6805ee5c080e7101277c410"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1416114"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3754-1"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=146cc8a17a3b4996f6805ee5c080e7101277c410"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3791"
    },
    {
      "type": "WEB",
      "url": "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2017/01/21/3"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/95715"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2874-9WC2-224F

Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33
VLAI
Details

ovirt-engine up to version 4.2.3 is vulnerable to an unfiltered password when choosing manual db provisioning. When engine-setup was run and one chooses to provision the database manually or connect to a remote database, the password input was logged in cleartext during the verification step. Sharing the provisioning log might inadvertently leak database passwords.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1075"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-12T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "ovirt-engine up to version 4.2.3 is vulnerable to an unfiltered password when choosing manual db provisioning. When engine-setup was run and one chooses to provision the database manually or connect to a remote database, the password input was logged in cleartext during the verification step. Sharing the provisioning log might inadvertently leak database passwords.",
  "id": "GHSA-2874-9wc2-224f",
  "modified": "2022-05-13T01:33:34Z",
  "published": "2022-05-13T01:33:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1075"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2071"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2018-1075"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1542508"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1075"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.ovirt.org/#/c/91653"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-28H8-8GFR-GWWM

Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2024-04-04 07:54
VLAI
Details

Screenshot vulnerability in the input module. Successful exploitation of this vulnerability may affect confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41308"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-27T15:19:28Z",
    "severity": "HIGH"
  },
  "details": "Screenshot vulnerability in the input module. Successful exploitation of this vulnerability may affect confidentiality.",
  "id": "GHSA-28h8-8gfr-gwwm",
  "modified": "2024-04-04T07:54:09Z",
  "published": "2023-09-27T15:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41308"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2023/9"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202309-0000001638925158"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2939-PQMR-4866

Vulnerability from github – Published: 2022-05-14 03:08 – Updated: 2022-05-14 03:08
VLAI
Details

GreenCMS 2.3.0603 allows remote attackers to obtain sensitive information via a direct request for Data/Log/year_month_day.log.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-12604"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-20T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "GreenCMS 2.3.0603 allows remote attackers to obtain sensitive information via a direct request for Data/Log/year_month_day.log.",
  "id": "GHSA-2939-pqmr-4866",
  "modified": "2022-05-14T03:08:36Z",
  "published": "2022-05-14T03:08:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12604"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GreenCMS/GreenCMS/issues/110"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44922"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-29HX-HV84-8WCQ

Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46
VLAI
Details

A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3447"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-01T18:15:00Z",
    "severity": null
  },
  "details": "A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2.",
  "id": "GHSA-29hx-hv84-8wcq",
  "modified": "2022-05-24T17:46:06Z",
  "published": "2022-05-24T17:46:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3447"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939349"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MS4VPUYVLGSAKOX26IT52BSMEZRZ3KS"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBZ75MAMVQVZROPYHMRDQKPPVASP63DG"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RUTGO4RS4ZXZSPBU2CHVPT75IAFVTTL3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.