CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1739 vulnerabilities reference this CWE, most recent first.
GHSA-2M5H-VV32-6GJR
Vulnerability from github – Published: 2024-07-19 15:31 – Updated: 2024-07-19 15:31Information exposure in the logging system in Yugabyte Platform allows local attackers with access to application logs to obtain database user credentials in log files, potentially leading to unauthorized database access.
{
"affected": [],
"aliases": [
"CVE-2024-0006"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-19T15:15:09Z",
"severity": "MODERATE"
},
"details": "Information exposure in the logging system in Yugabyte Platform allows local attackers with access to application logs to obtain database user credentials in log files, potentially leading to unauthorized database access.",
"id": "GHSA-2m5h-vv32-6gjr",
"modified": "2024-07-19T15:31:47Z",
"published": "2024-07-19T15:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0006"
},
{
"type": "WEB",
"url": "https://github.com/yugabyte/yugabyte-db/commit/439c6286f1971f9ac6bff2c7215b454c2025c593"
},
{
"type": "WEB",
"url": "https://github.com/yugabyte/yugabyte-db/commit/5cc7f4e15d6ccccbf97c57946fd0aa630f88c9e2"
},
{
"type": "WEB",
"url": "https://github.com/yugabyte/yugabyte-db/commit/d96e6b629f34d065b47204daeeb44064e484c579"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2M5X-R2G7-72X8
Vulnerability from github – Published: 2024-01-30 18:30 – Updated: 2024-01-30 18:30In Splunk Add-on Builder versions below 4.1.4, the app writes sensitive information to internal log files.
{
"affected": [],
"aliases": [
"CVE-2023-46230"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-30T17:15:09Z",
"severity": "HIGH"
},
"details": "In Splunk Add-on Builder versions below 4.1.4, the app writes sensitive information to internal log files.",
"id": "GHSA-2m5x-r2g7-72x8",
"modified": "2024-01-30T18:30:20Z",
"published": "2024-01-30T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46230"
},
{
"type": "WEB",
"url": "https://advisory.splunk.com/advisories/SVD-2024-0111"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-2M8V-GJ6W-PVRW
Vulnerability from github – Published: 2024-09-25 15:31 – Updated: 2024-09-25 15:31Insertion of Sensitive Information into Log File vulnerability in StylemixThemes Masterstudy LMS Starter.This issue affects Masterstudy LMS Starter: from n/a through 1.1.8.
{
"affected": [],
"aliases": [
"CVE-2024-43990"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-25T15:15:14Z",
"severity": "MODERATE"
},
"details": "Insertion of Sensitive Information into Log File vulnerability in StylemixThemes Masterstudy LMS Starter.This issue affects Masterstudy LMS Starter: from n/a through 1.1.8.",
"id": "GHSA-2m8v-gj6w-pvrw",
"modified": "2024-09-25T15:31:13Z",
"published": "2024-09-25T15:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43990"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/ms-lms-starter-theme/wordpress-masterstudy-lms-starter-theme-1-1-8-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2MF5-R62X-GR5C
Vulnerability from github – Published: 2025-04-22 12:31 – Updated: 2025-08-25 03:33Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p29, <2.2.0p41 and <=2.1.0p49 (EOL) causes remote site authentication secrets to be written to log files accessible to administrators.
{
"affected": [],
"aliases": [
"CVE-2025-2092"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-22T12:15:15Z",
"severity": "HIGH"
},
"details": "Insertion of Sensitive Information into Log File in Checkmk GmbH\u0027s Checkmk versions \u003c2.3.0p29, \u003c2.2.0p41 and \u003c=2.1.0p49 (EOL) causes remote site authentication secrets to be written to log files accessible to administrators.",
"id": "GHSA-2mf5-r62x-gr5c",
"modified": "2025-08-25T03:33:06Z",
"published": "2025-04-22T12:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2092"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/17780"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2MHX-FMHX-VPCC
Vulnerability from github – Published: 2024-02-09 00:31 – Updated: 2024-02-15 18:30The N-able PassPortal extension before 3.29.2 for Chrome inserts sensitive information into a log file.
{
"affected": [],
"aliases": [
"CVE-2023-47131"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-08T23:15:09Z",
"severity": "HIGH"
},
"details": "The N-able PassPortal extension before 3.29.2 for Chrome inserts sensitive information into a log file.",
"id": "GHSA-2mhx-fmhx-vpcc",
"modified": "2024-02-15T18:30:40Z",
"published": "2024-02-09T00:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47131"
},
{
"type": "WEB",
"url": "https://me.n-able.com/s/security-advisory/aArHs000000M8CCKA0/cve202347131-passportal-browser-extension-logs-sensitive-data"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2PFV-Q6J2-PCRF
Vulnerability from github – Published: 2023-10-04 15:30 – Updated: 2024-01-02 00:30A logic flaw exists in Ansible. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability.
{
"affected": [],
"aliases": [
"CVE-2023-4380"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-04T15:15:12Z",
"severity": "MODERATE"
},
"details": "A logic flaw exists in Ansible. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability.",
"id": "GHSA-2pfv-q6j2-pcrf",
"modified": "2024-01-02T00:30:21Z",
"published": "2023-10-04T15:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4380"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4693"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-4380"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2232324"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-2PVH-XF99-R989
Vulnerability from github – Published: 2022-05-14 01:17 – Updated: 2022-05-14 01:17In Webgalamb through 7.0, log files are exposed to the internet with predictable files/logs/sql_error_log/YYYY-MM-DD-sql_error_log.log filenames. The log file could contain sensitive client data (email addresses) and also facilitates exploitation of SQL injection errors.
{
"affected": [],
"aliases": [
"CVE-2018-19513"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-21T16:00:00Z",
"severity": "HIGH"
},
"details": "In Webgalamb through 7.0, log files are exposed to the internet with predictable files/logs/sql_error_log/YYYY-MM-DD-sql_error_log.log filenames. The log file could contain sensitive client data (email addresses) and also facilitates exploitation of SQL injection errors.",
"id": "GHSA-2pvh-xf99-r989",
"modified": "2022-05-14T01:17:43Z",
"published": "2022-05-14T01:17:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19513"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/151017/Webgalamb-Information-Disclosure-XSS-CSRF-SQL-Injection.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2019/Jan/15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2Q32-MMXP-HXR7
Vulnerability from github – Published: 2026-03-05 09:30 – Updated: 2026-03-05 09:30HCL Sametime for iOS is impacted by a sensitive information disclosure. Hostnames information is written in application logs and certain URLs.
{
"affected": [],
"aliases": [
"CVE-2026-21786"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-05T08:15:58Z",
"severity": "LOW"
},
"details": "HCL Sametime for iOS is impacted by a sensitive information disclosure. Hostnames information is written in application logs and certain URLs.",
"id": "GHSA-2q32-mmxp-hxr7",
"modified": "2026-03-05T09:30:34Z",
"published": "2026-03-05T09:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21786"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0128949"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2Q4F-GJPQ-VFMH
Vulnerability from github – Published: 2025-03-11 18:32 – Updated: 2025-10-22 00:33Insertion of sensitive information into log file in Windows NTFS allows an unauthorized attacker to disclose information with a physical attack.
{
"affected": [],
"aliases": [
"CVE-2025-24984"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-11T17:16:34Z",
"severity": "MODERATE"
},
"details": "Insertion of sensitive information into log file in Windows NTFS allows an unauthorized attacker to disclose information with a physical attack.",
"id": "GHSA-2q4f-gjpq-vfmh",
"modified": "2025-10-22T00:33:14Z",
"published": "2025-03-11T18:32:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24984"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24984"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24984"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2QPF-6HHX-QXXG
Vulnerability from github – Published: 2022-05-10 00:00 – Updated: 2022-05-18 00:00An information exposure through log file vulnerability in Brocade SANNav versions before Brocade SANnav 2.2.0 could allow an authenticated, local attacker to view sensitive information such as ssh passwords in filetansfer.log in debug mode. To exploit this vulnerability, the attacker would need to have valid user credentials and turn on debug mode.
{
"affected": [],
"aliases": [
"CVE-2022-28161"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-09T17:15:00Z",
"severity": "MODERATE"
},
"details": "An information exposure through log file vulnerability in Brocade SANNav versions before Brocade SANnav 2.2.0 could allow an authenticated, local attacker to view sensitive information such as ssh passwords in filetansfer.log in debug mode. To exploit this vulnerability, the attacker would need to have valid user credentials and turn on debug mode.",
"id": "GHSA-2qpf-6hhx-qxxg",
"modified": "2022-05-18T00:00:32Z",
"published": "2022-05-10T00:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28161"
},
{
"type": "WEB",
"url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1840"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.