CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1739 vulnerabilities reference this CWE, most recent first.
GHSA-2R5R-X58V-CX3W
Vulnerability from github – Published: 2021-05-25 20:05 – Updated: 2021-12-20 17:46A flaw was found in OpenShift Container Platform version 4.1 and later. Sensitive information was found to be logged by the image registry operator allowing an attacker able to gain access to those logs, to read and write to the storage backing the internal image registry. The highest threat from this vulnerability is to data integrity.
{
"affected": [],
"aliases": [
"CVE-2020-10712"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-22T16:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in OpenShift Container Platform version 4.1 and later. Sensitive information was found to be logged by the image registry operator allowing an attacker able to gain access to those logs, to read and write to the storage backing the internal image registry. The highest threat from this vulnerability is to data integrity.",
"id": "GHSA-2r5r-x58v-cx3w",
"modified": "2021-12-20T17:46:48Z",
"published": "2021-05-25T20:05:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10712"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10712"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Information Disclosure in OpenShift Container Platform"
}
GHSA-2R6R-XV9X-QFCR
Vulnerability from github – Published: 2026-01-16 18:31 – Updated: 2026-01-16 18:31A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data.
{
"affected": [],
"aliases": [
"CVE-2025-43508"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-16T18:16:07Z",
"severity": "MODERATE"
},
"details": "A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data.",
"id": "GHSA-2r6r-xv9x-qfcr",
"modified": "2026-01-16T18:31:33Z",
"published": "2026-01-16T18:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43508"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125634"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2RHM-RW5W-H5P8
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07myFax version 229 logs sensitive information in the export log module which allows any user to access critical information.
{
"affected": [],
"aliases": [
"CVE-2020-24038"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-07T14:15:00Z",
"severity": "MODERATE"
},
"details": "myFax version 229 logs sensitive information in the export log module which allows any user to access critical information.",
"id": "GHSA-2rhm-rw5w-h5p8",
"modified": "2022-05-24T19:07:05Z",
"published": "2022-05-24T19:07:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24038"
},
{
"type": "WEB",
"url": "https://github.com/Dmitriy-area51/Exploit/tree/master/CVE-2020-24038"
},
{
"type": "WEB",
"url": "https://myfax.com"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2RXG-F4R2-FM3C
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2023-02-02 18:30Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions. were found to be insufficiently protected. Passwords could be disclosed in log files (if playbooks are run with -v) or in playbooks stored on Metrics or Bastion hosts.
{
"affected": [],
"aliases": [
"CVE-2019-10194"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-11T19:15:00Z",
"severity": "MODERATE"
},
"details": "Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions. were found to be insufficiently protected. Passwords could be disclosed in log files (if playbooks are run with -v) or in playbooks stored on Metrics or Bastion hosts.",
"id": "GHSA-2rxg-f4r2-fm3c",
"modified": "2023-02-02T18:30:55Z",
"published": "2022-05-24T16:50:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10194"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2499"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2019-10194"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1726007"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10194"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/109140"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2VCW-8VC6-XXFW
Vulnerability from github – Published: 2023-04-27 00:30 – Updated: 2024-04-04 03:42Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.
{
"affected": [],
"aliases": [
"CVE-2023-1786"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-26T23:15:08Z",
"severity": "MODERATE"
},
"details": "Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.",
"id": "GHSA-2vcw-8vc6-xxfw",
"modified": "2024-04-04T03:42:27Z",
"published": "2023-04-27T00:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1786"
},
{
"type": "WEB",
"url": "https://github.com/canonical/cloud-init/commit/a378b7e4f47375458651c0972e7cd813f6fe0a6b"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/cloud-init/+bug/2013967"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ATBJSXPL2IOAD2LDQRKWPLIC7QXS44GZ"
},
{
"type": "WEB",
"url": "https://ubuntu.com/security/notices/USN-6042-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2W67-MWP7-3283
Vulnerability from github – Published: 2024-06-21 18:31 – Updated: 2024-06-21 18:31Insertion of Sensitive Information into Log File vulnerability in WP 2FA allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP 2FA: from n/a through 2.6.3.
{
"affected": [],
"aliases": [
"CVE-2022-44587"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-21T16:15:10Z",
"severity": "MODERATE"
},
"details": "Insertion of Sensitive Information into Log File vulnerability in WP 2FA allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP 2FA: from n/a through 2.6.3.",
"id": "GHSA-2w67-mwp7-3283",
"modified": "2024-06-21T18:31:00Z",
"published": "2024-06-21T18:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44587"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/wp-2fa/wordpress-wp-2fa-plugin-2-6-3-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2W6J-VFMX-4R46
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05Improper log management vulnerability in Watch Active PlugIn prior to version 2.2.07.21033151 allows attacker with log permissions to leak Wi-Fi password connected to the user smartphone within log.
{
"affected": [],
"aliases": [
"CVE-2021-25422"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-11T15:15:00Z",
"severity": "MODERATE"
},
"details": "Improper log management vulnerability in Watch Active PlugIn prior to version 2.2.07.21033151 allows attacker with log permissions to leak Wi-Fi password connected to the user smartphone within log.",
"id": "GHSA-2w6j-vfmx-4r46",
"modified": "2022-05-24T19:05:06Z",
"published": "2022-05-24T19:05:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25422"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=6"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2WH2-FFF9-4M63
Vulnerability from github – Published: 2023-07-13 03:30 – Updated: 2024-04-04 06:06An information disclosure issue in Gitlab CE/EE affecting all versions from 13.6 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1, resulted in the Sidekiq log including webhook tokens when the log format was set to default.
{
"affected": [],
"aliases": [
"CVE-2023-3363"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-13T03:15:10Z",
"severity": "LOW"
},
"details": "An information disclosure issue in Gitlab CE/EE affecting all versions from 13.6 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1, resulted in the Sidekiq log including webhook tokens when the log format was set to `default`.",
"id": "GHSA-2wh2-fff9-4m63",
"modified": "2024-04-04T06:06:30Z",
"published": "2023-07-13T03:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3363"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/409034"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2WX6-WC87-RMJM
Vulnerability from github – Published: 2020-03-19 17:29 – Updated: 2024-09-20 17:31Impact
The GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like --new-pr, --from-pr, etc.) is shown in plain text in EasyBuild debug log files.
Scope:
- the log message only appears in the top-level log file, not in the individual software installation logs (see https://easybuild.readthedocs.io/en/latest/Logfiles.html);
- as a consequence, tokens are not included in the partial log files that are uploaded into a gist when using
--upload-test-reportin combination with--from-pr, nor in the installation logs that are copied to the software installation directories;
- as a consequence, tokens are not included in the partial log files that are uploaded into a gist when using
- the message is only logged when using
--debug, so it will not appear when using the default EasyBuild configuration (only info messages are logged by default); - the log message is triggered via
--from-pr, but also via various other GitHub integration options like--new-pr,--merge-pr,--close-pr, etc., but usually only appears in the temporary log file that is cleaned up automatically as soon as eb completes successfully; - you may have several debug log files that include your GitHub token in
/tmp(or a different location if you've set the--tmpdirEasyBuild configuration option) on the systems where you use EasyBuild, but they are located in a subdirectory that is only accessible to your account (permissions set to 700); - the only way that a log file that may include your token could have been made public is if you shared it yourself, for example by copying the contents of the log file into a gist manually, or by sending a log file to someone;
- for log files uploaded to GitHub, your token would be revoked automatically when GitHub notices it;
Patches
The issue is fixed with the changes in https://github.com/easybuilders/easybuild-framework/pull/3248.
This fix is included in EasyBuild v4.1.2 (released on Mon Mar 16th 2020), and in the master+ develop branches of the easybuild-framework repository since Mon Mar 16th 2020 (see https://github.com/easybuilders/easybuild-framework/pull/3248 and https://github.com/easybuilders/easybuild-framework/pull/3249 resp.).
Make sure you revoke the existing GitHub tokens you're using with EasyBuild (via https://github.com/settings/tokens), and install new ones using "eb --install-github-token --force" (see also https://easybuild.readthedocs.io/en/latest/Integration_with_GitHub.html#installing-a-github-token-install-github-token).
Workarounds
- avoid using the GitHub integration features (see https://easybuild.readthedocs.io/en/latest/Integration_with_GitHub.html) with EasyBuild versions older than version 4.1.2;
- don't share top-level EasyBuild (debug) log files with others, unless you are sure your GitHub token is not included in them;
- clean up temporary EasyBuild log files in
/tmpon the system(s) where you`re using EasyBuild
References
- https://github.com/easybuilders/easybuild-framework/pull/3248 (PR that fixes the issue)
- (release announcement to EasyBuild mailing list)
For more information
- Open an issue in the
easybuild-frameworkrepository - Email us at easybuild-admin@lists.ugent.be
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "easybuild-framework"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5262"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2020-03-19T17:04:51Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Impact\n\nThe GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like `--new-pr`, `--from-pr`, etc.) is shown in plain text in EasyBuild debug log files.\n\nScope:\n\n* the log message only appears in the top-level log file, *not* in the individual software installation logs (see https://easybuild.readthedocs.io/en/latest/Logfiles.html);\n - as a consequence, tokens are *not* included in the partial log files that are uploaded into a gist when using `--upload-test-report` in combination with `--from-pr`, nor in the installation logs that are copied to the software installation directories;\n* the message is only logged when using `--debug`, so it will not appear when using the default EasyBuild configuration (only info messages are logged by default);\n* the log message is triggered via `--from-pr`, but also via various other GitHub integration options like `--new-pr`, `--merge-pr`, `--close-pr`, etc., but usually only appears in the temporary log file that is cleaned up automatically as soon as eb completes successfully;\n* you may have several debug log files that include your GitHub token in `/tmp` (or a different location if you\u0027ve set the `--tmpdir` EasyBuild configuration option) on the systems where you use EasyBuild, but they are located in a subdirectory that is only accessible to your account (permissions set to 700);\n* the only way that a log file that may include your token could have been made public is *if you shared it yourself*, for example by copying the contents of the log file into a gist manually, or by sending a log file to someone;\n* for log files uploaded to GitHub, your token would be revoked automatically when GitHub notices it;\n\n### Patches\n\nThe issue is fixed with the changes in https://github.com/easybuilders/easybuild-framework/pull/3248.\n\nThis fix is included in EasyBuild v4.1.2 (released on Mon Mar 16th 2020), and in the `master`+ `develop` branches of the `easybuild-framework` repository since Mon Mar 16th 2020 (see https://github.com/easybuilders/easybuild-framework/pull/3248 and https://github.com/easybuilders/easybuild-framework/pull/3249 resp.).\n\n**Make sure you revoke the existing GitHub tokens you\u0027re using with EasyBuild** (via https://github.com/settings/tokens), and install new ones using \"`eb --install-github-token --force`\" (see also https://easybuild.readthedocs.io/en/latest/Integration_with_GitHub.html#installing-a-github-token-install-github-token).\n\n### Workarounds\n\n* avoid using the GitHub integration features (see https://easybuild.readthedocs.io/en/latest/Integration_with_GitHub.html) with EasyBuild versions older than version 4.1.2;\n* don\u0027t share top-level EasyBuild (debug) log files with others, unless you are sure your GitHub token is not included in them;\n* clean up temporary EasyBuild log files in `/tmp`on the system(s) where you`re using EasyBuild\n\n### References\n\n* https://github.com/easybuilders/easybuild-framework/pull/3248 (PR that fixes the issue)\n* (release announcement to EasyBuild mailing list)\n\n### For more information\n\n* Open an issue in [the `easybuild-framework` repository](https://github.com/easybuilders/easybuild-framework)\n* Email us at [easybuild-admin@lists.ugent.be](mailto:easybuild-admin@lists.ugent.be)",
"id": "GHSA-2wx6-wc87-rmjm",
"modified": "2024-09-20T17:31:44Z",
"published": "2020-03-19T17:29:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/easybuilders/easybuild-framework/security/advisories/GHSA-2wx6-wc87-rmjm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5262"
},
{
"type": "WEB",
"url": "https://github.com/easybuilders/easybuild-framework/pull/3248"
},
{
"type": "WEB",
"url": "https://github.com/easybuilders/easybuild-framework/pull/3249"
},
{
"type": "WEB",
"url": "https://github.com/easybuilders/easybuild-framework/commit/210743d0e3618a8ac0a56eb9c0f4fa4fd8ae53b9"
},
{
"type": "PACKAGE",
"url": "https://github.com/easybuilders/easybuild-framework"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/easybuild-framework/PYSEC-2020-41.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/easybuild/PYSEC-2020-268.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "GitHub personal access token leaking into temporary EasyBuild (debug) logs"
}
GHSA-2XFM-MGC4-J8FX
Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Versions up to v13.2.4 are vulnerable.
{
"affected": [],
"aliases": [
"CVE-2018-16889"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-28T14:29:00Z",
"severity": "HIGH"
},
"details": "Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Versions up to v13.2.4 are vulnerable.",
"id": "GHSA-2xfm-mgc4-j8fx",
"modified": "2022-05-13T01:50:27Z",
"published": "2022-05-13T01:50:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16889"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2538"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2541"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2018-16889"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1665334"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16889"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4035-1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106528"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.