CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1739 vulnerabilities reference this CWE, most recent first.
GHSA-333V-68XH-8MMQ
Vulnerability from github – Published: 2026-01-16 15:48 – Updated: 2026-01-16 19:10Summary
Invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls.
Details
In crates/ecstore/src/rpc/http_auth.rs:115-122 , the invalid signature branch logs sensitive data:
if signature != expected_signature {
error!(
"verify_rpc_signature: Invalid signature: secret {}, url {}, method {}, timestamp {}, signature {}, expected_signature {}",
secret, url, method, timestamp, signature, expected_signature
);
return Err(std::io::Error::other("Invalid signature"));
}
This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers.
PoC
- Run RustFS with error logging enabled.
- Send a request with an invalid signature:
ts=$(date +%s) curl -v \ -H "x-rustfs-timestamp: $ts" \ -H "x-rustfs-signature: invalid-signature" \ "http://localhost:9000/rustfs/rpc/read_file_stream?disk=foo&volume=bar&path=baz&offset=0&length=1" - Observed output:
HTTP 403 AccessDenied: Invalid signature verify_rpc_signature: Invalid signature: secret rustfsadmin, url /rustfs/rpc/read_file_stream?disk=foo&volume=bar&path=baz&offset=0&length=1, method GET, timestamp 1767852115, signature invalid-signature, expected_signature oisNxNRTb80GXf97s/PGdScJzu8QB9Oxs+uOwf8RiK8=
Impact
- Exposes the shared RPC HMAC secret to log readers.
- Enables attackers with log access to forge valid RPC signatures and make unauthorized RPC calls.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.0-alpha.79"
},
"package": {
"ecosystem": "crates.io",
"name": "rustfs"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0-alpha.1"
},
{
"fixed": "1.0.0-alpha.80"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22782"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-16T15:48:58Z",
"nvd_published_at": "2026-01-16T17:15:54Z",
"severity": "LOW"
},
"details": "### Summary\nInvalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls.\n\n### Details\nIn [`crates/ecstore/src/rpc/http_auth.rs:115-122`](https://github.com/rustfs/rustfs/blob/9e162b6e9ebb874cc1d06a7b33bc4a05786578aa/crates/ecstore/src/rpc/http_auth.rs#L115-L122) , the invalid signature branch logs sensitive data:\n```rs\nif signature != expected_signature {\n error!(\n \"verify_rpc_signature: Invalid signature: secret {}, url {}, method {}, timestamp {}, signature {}, expected_signature {}\",\n secret, url, method, timestamp, signature, expected_signature\n );\n\n return Err(std::io::Error::other(\"Invalid signature\"));\n}\n```\n\nThis log line includes `secret` and `expected_signature`, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers.\n\n### PoC\n1. Run RustFS with error logging enabled.\n1. Send a request with an invalid signature:\n ```\n ts=$(date +%s)\n curl -v \\\n -H \"x-rustfs-timestamp: $ts\" \\\n -H \"x-rustfs-signature: invalid-signature\" \\\n \"http://localhost:9000/rustfs/rpc/read_file_stream?disk=foo\u0026volume=bar\u0026path=baz\u0026offset=0\u0026length=1\"\n ```\n1. Observed output:\n ```\n HTTP 403 AccessDenied: Invalid signature\n verify_rpc_signature: Invalid signature: secret rustfsadmin, url /rustfs/rpc/read_file_stream?disk=foo\u0026volume=bar\u0026path=baz\u0026offset=0\u0026length=1, method GET, timestamp 1767852115, signature invalid-signature, expected_signature oisNxNRTb80GXf97s/PGdScJzu8QB9Oxs+uOwf8RiK8=\n ```\n### Impact\n\n- Exposes the shared RPC HMAC secret to log readers.\n- Enables attackers with log access to forge valid RPC signatures and make unauthorized RPC calls.",
"id": "GHSA-333v-68xh-8mmq",
"modified": "2026-01-16T19:10:59Z",
"published": "2026-01-16T15:48:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-333v-68xh-8mmq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22782"
},
{
"type": "WEB",
"url": "https://github.com/rustfs/rustfs/commit/6b2eebee1d07399ef02c0863bd515b4412a5a560"
},
{
"type": "PACKAGE",
"url": "https://github.com/rustfs/rustfs"
},
{
"type": "WEB",
"url": "https://github.com/rustfs/rustfs/blob/9e162b6e9ebb874cc1d06a7b33bc4a05786578aa/crates/ecstore/src/rpc/http_auth.rs#L115-L122"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "RustFS\u0027s RPC signature verification logs shared secret"
}
GHSA-33FF-V6QP-8QQF
Vulnerability from github – Published: 2023-08-18 15:30 – Updated: 2023-08-18 15:30A vulnerability was found in rkhunter Rootkit Hunter 1.4.4/1.4.6. It has been classified as problematic. Affected is an unknown function of the file /var/log/rkhunter.log. The manipulation leads to sensitive information in log files. An attack has to be approached locally. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-237516.
{
"affected": [],
"aliases": [
"CVE-2023-4413"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-18T15:15:10Z",
"severity": "LOW"
},
"details": "A vulnerability was found in rkhunter Rootkit Hunter 1.4.4/1.4.6. It has been classified as problematic. Affected is an unknown function of the file /var/log/rkhunter.log. The manipulation leads to sensitive information in log files. An attack has to be approached locally. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-237516.",
"id": "GHSA-33ff-v6qp-8qqf",
"modified": "2023-08-18T15:30:23Z",
"published": "2023-08-18T15:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4413"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051896"
},
{
"type": "WEB",
"url": "https://gist.github.com/MatheuZSecurity/16ef0219db8f85f49f945a25d5eb42d7"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.237516"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.237516"
},
{
"type": "WEB",
"url": "https://youtu.be/etHt1TNAgs8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-33VC-JM33-3F35
Vulnerability from github – Published: 2024-12-09 03:30 – Updated: 2024-12-12 18:30Zammad before 6.4.1 places sensitive data (such as auth_microsoft_office365_credentials and application_secret) in log files.
{
"affected": [],
"aliases": [
"CVE-2024-55578"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-09T03:15:04Z",
"severity": "MODERATE"
},
"details": "Zammad before 6.4.1 places sensitive data (such as auth_microsoft_office365_credentials and application_secret) in log files.",
"id": "GHSA-33vc-jm33-3f35",
"modified": "2024-12-12T18:30:54Z",
"published": "2024-12-09T03:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55578"
},
{
"type": "WEB",
"url": "https://zammad.com/en/advisories/zaa-2024-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-34FR-FHQR-7235
Vulnerability from github – Published: 2021-07-26 21:16 – Updated: 2021-08-31 21:23Meta
- CVSS:
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C(4.9)
Problem
It has been discovered that user credentials have been logged as plaintext when explicitly using log level debug, which is not the default configuration.
Solution
Update to TYPO3 versions 7.6.52 ELTS, 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described.
Credits
Thanks to Ingo Schmitt who reported this issue, and to TYPO3 core & security team member Benni Mack who fixed the issue.
References
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.6.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.7.41"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.5.28"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.4.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.4.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.5.28"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-32767"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2021-07-22T20:24:00Z",
"nvd_published_at": "2021-07-20T16:15:00Z",
"severity": "MODERATE"
},
"details": "\u003e ### Meta\n\u003e * CVSS: `AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C` (4.9)\n\n### Problem\nIt has been discovered that user credentials have been logged as plaintext when explicitly using log level debug, which is not the _default_ configuration.\n\n### Solution\nUpdate to TYPO3 versions 7.6.52 ELTS, 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described.\n\n### Credits\nThanks to Ingo Schmitt who reported this issue, and to TYPO3 core \u0026 security team member Benni Mack who fixed the issue.\n\n### References\n* [TYPO3-CORE-SA-2021-012](https://typo3.org/security/advisory/typo3-core-sa-2021-012)",
"id": "GHSA-34fr-fhqr-7235",
"modified": "2021-08-31T21:23:03Z",
"published": "2021-07-26T21:16:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-34fr-fhqr-7235"
},
{
"type": "WEB",
"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-34fr-fhqr-7235"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32767"
},
{
"type": "WEB",
"url": "https://github.com/TYPO3/typo3/commit/0b4950163b8919451964133febc65bcdfcec721c"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-32767.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-32767.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/TYPO3/typo3"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-core-sa-2021-012"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-core-sa-2021-013"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Information Disclosure in User Authentication"
}
GHSA-34H9-HW7W-7V67
Vulnerability from github – Published: 2022-07-13 00:01 – Updated: 2022-07-19 00:00An issue was discovered in Couchbase Server 7.x before 7.0.4. Field names are not redacted in logged validation messages for Analytics Service. An Unauthorized Actor may be able to obtain Sensitive Information.
{
"affected": [],
"aliases": [
"CVE-2022-33911"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-12T14:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Couchbase Server 7.x before 7.0.4. Field names are not redacted in logged validation messages for Analytics Service. An Unauthorized Actor may be able to obtain Sensitive Information.",
"id": "GHSA-34h9-hw7w-7v67",
"modified": "2022-07-19T00:00:24Z",
"published": "2022-07-13T00:01:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33911"
},
{
"type": "WEB",
"url": "https://docs.couchbase.com/server/current/release-notes/relnotes.html"
},
{
"type": "WEB",
"url": "https://forums.couchbase.com/tags/security"
},
{
"type": "WEB",
"url": "https://www.couchbase.com/alerts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-358R-G2XW-7C83
Vulnerability from github – Published: 2022-04-23 00:40 – Updated: 2023-08-29 19:58Moodle before 2.2.2, 2.1.5, and 2.0.8 had users' private files included in course backups unnecessarily.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.2.1"
},
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "2.2"
},
{
"fixed": "2.2.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.1.4"
},
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "2.1"
},
{
"fixed": "2.1.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.7"
},
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "2.0"
},
{
"fixed": "2.0.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2012-1156"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-29T19:58:59Z",
"nvd_published_at": "2019-11-14T16:15:00Z",
"severity": "HIGH"
},
"details": "Moodle before 2.2.2, 2.1.5, and 2.0.8 had users\u0027 private files included in course backups unnecessarily.",
"id": "GHSA-358r-g2xw-7c83",
"modified": "2023-08-29T19:58:59Z",
"published": "2022-04-23T00:40:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1156"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/37b6e7a03c77ea99fbe5224a15419e318019c570"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/ac6dc09c261219afa0191e9f2daf030bd071d272"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/f88224624dca76e1a8a2810fd8cc04292611f91c"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2012-1156"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1156"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=198623"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2012-1156"
},
{
"type": "WEB",
"url": "http://docs.moodle.org/dev/Moodle_2.0.8_release_notes"
},
{
"type": "WEB",
"url": "http://docs.moodle.org/dev/Moodle_2.1.5_release_notes"
},
{
"type": "WEB",
"url": "http://docs.moodle.org/dev/Moodle_2.2.2_release_notes"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077635.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078209.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078210.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080712.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081047.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Moodle backs up private files"
}
GHSA-35CW-M3GX-Q34F
Vulnerability from github – Published: 2026-03-25 03:31 – Updated: 2026-03-25 21:30A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.3, visionOS 26.3. An app may be able to access sensitive user data.
{
"affected": [],
"aliases": [
"CVE-2026-20668"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T01:17:05Z",
"severity": "MODERATE"
},
"details": "A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.3, visionOS 26.3. An app may be able to access sensitive user data.",
"id": "GHSA-35cw-m3gx-q34f",
"modified": "2026-03-25T21:30:28Z",
"published": "2026-03-25T03:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20668"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126346"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126348"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126353"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126793"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126795"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126796"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-35VR-X655-89WJ
Vulnerability from github – Published: 2023-10-03 15:30 – Updated: 2024-04-04 08:10A Cryptographic Issue vulnerability has been found on IBERMATICA RPS, affecting version 2019. By firstly downloading the log file, an attacker could retrieve the SQL query sent to the application in plaint text. This log file contains the password hashes coded with AES-CBC-128 bits algorithm, which can be decrypted with a .NET function, obtaining the username's password in plain text.
{
"affected": [],
"aliases": [
"CVE-2023-3350"
],
"database_specific": {
"cwe_ids": [
"CWE-327",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-03T14:15:10Z",
"severity": "HIGH"
},
"details": "A Cryptographic Issue vulnerability has been found on IBERMATICA RPS, affecting version 2019. By firstly downloading the log file, an attacker could retrieve the SQL query sent to the application in plaint text. This log file contains the password hashes coded with AES-CBC-128 bits algorithm, which can be decrypted with a .NET function, obtaining the username\u0027s password in plain text.",
"id": "GHSA-35vr-x655-89wj",
"modified": "2024-04-04T08:10:34Z",
"published": "2023-10-03T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3350"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-ibermatica-rps-2019"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-366R-6RJW-F277
Vulnerability from github – Published: 2026-02-12 00:31 – Updated: 2026-02-13 15:30A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.3. A malicious app may be able to read sensitive location information.
{
"affected": [],
"aliases": [
"CVE-2026-20646"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T23:16:07Z",
"severity": "LOW"
},
"details": "A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.3. A malicious app may be able to read sensitive location information.",
"id": "GHSA-366r-6rjw-f277",
"modified": "2026-02-13T15:30:23Z",
"published": "2026-02-12T00:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20646"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126348"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-36FM-F9H6-J5XH
Vulnerability from github – Published: 2025-07-04 09:31 – Updated: 2025-07-04 09:31A vulnerability was found in Red Hat OpenShift Jenkins. The bearer token is not obfuscated in the logs and potentially carries a high risk if those logs are centralized when collected. The token is typically valid for one year. This flaw allows a malicious user to jeopardize the environment if they have access to sensitive information.
{
"affected": [],
"aliases": [
"CVE-2024-9453"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-04T09:15:24Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Red Hat OpenShift Jenkins. The bearer token is not obfuscated in the logs and potentially carries a high risk if those logs are centralized when collected. The token is typically valid for one year. This flaw allows a malicious user to jeopardize the environment if they have access to sensitive information.",
"id": "GHSA-36fm-f9h6-j5xh",
"modified": "2025-07-04T09:31:15Z",
"published": "2025-07-04T09:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9453"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-9453"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316231"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.