Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1739 vulnerabilities reference this CWE, most recent first.

GHSA-36HQ-V2FC-RPQP

Vulnerability from github – Published: 2023-08-16 15:30 – Updated: 2023-08-16 21:13
VLAI
Summary
Jenkins Folders Plugin information disclosure vulnerability
Details

Jenkins Folders Plugin displays an error message when attempting to access the Scan Organization Folder Log if no logs are available.

In Folders Plugin 6.846.v23698686f0f6 and earlier, this error message includes the absolute path of a log file, exposing information about the Jenkins controller file system.

Folders Plugin 6.848.ve3b_fd7839a_81 does not display the absolute path of a log file in the error message.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:cloudbees-folder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.848.ve3b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-40338"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-16T21:13:57Z",
    "nvd_published_at": "2023-08-16T15:15:11Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Folders Plugin displays an error message when attempting to access the Scan Organization Folder Log if no logs are available.\n\nIn Folders Plugin 6.846.v23698686f0f6 and earlier, this error message includes the absolute path of a log file, exposing information about the Jenkins controller file system.\n\nFolders Plugin 6.848.ve3b_fd7839a_81 does not display the absolute path of a log file in the error message.",
  "id": "GHSA-36hq-v2fc-rpqp",
  "modified": "2023-08-16T21:13:57Z",
  "published": "2023-08-16T15:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40338"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3109"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/08/16/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Folders Plugin information disclosure vulnerability"
}

GHSA-36M3-3RR8-QRQF

Vulnerability from github – Published: 2023-02-01 15:30 – Updated: 2023-02-08 21:30
VLAI
Details

Dell PowerScale OneFS 9.0.0.x-9.4.0.x contain an insertion of sensitive information into log file vulnerability in cloudpool. A low privileged local attacker could potentially exploit this vulnerability, leading to sensitive information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22573"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-01T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Dell PowerScale OneFS 9.0.0.x-9.4.0.x contain an insertion of sensitive information into log file vulnerability in cloudpool. A low privileged local attacker could potentially exploit this vulnerability, leading to sensitive information disclosure.",
  "id": "GHSA-36m3-3rr8-qrqf",
  "modified": "2023-02-08T21:30:19Z",
  "published": "2023-02-01T15:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22573"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000207863/dell-powerscale-onefs-security-updates-for-multiple-security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-36V8-VQH8-C3XX

Vulnerability from github – Published: 2024-03-27 18:32 – Updated: 2024-03-27 21:30
VLAI
Details

In Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, the software potentially exposes authentication tokens during the token validation process. This exposure happens when either Splunk Enterprise runs in debug mode or the JsonWebToken component has been configured to log its activity at the DEBUG logging level.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-29945"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-27T17:15:54Z",
    "severity": "HIGH"
  },
  "details": "In Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, the software potentially exposes authentication tokens during the token validation process. This exposure happens when either Splunk Enterprise runs in debug mode or the JsonWebToken component has been configured to log its activity at the DEBUG logging level.",
  "id": "GHSA-36v8-vqh8-c3xx",
  "modified": "2024-03-27T21:30:47Z",
  "published": "2024-03-27T18:32:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29945"
    },
    {
      "type": "WEB",
      "url": "https://advisory.splunk.com/advisories/SVD-2024-0301"
    },
    {
      "type": "WEB",
      "url": "https://research.splunk.com/application/9a67e749-d291-40dd-8376-d422e7ecf8b5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-36XW-WJ35-W3Q4

Vulnerability from github – Published: 2026-06-11 21:31 – Updated: 2026-06-13 00:34
VLAI
Details

A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46313"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-11T19:16:34Z",
    "severity": "MODERATE"
  },
  "details": "A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data.",
  "id": "GHSA-36xw-wj35-w3q4",
  "modified": "2026-06-13T00:34:30Z",
  "published": "2026-06-11T21:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46313"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/125634"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-37R4-959H-QQ8J

Vulnerability from github – Published: 2023-07-19 03:30 – Updated: 2024-04-04 06:16
VLAI
Details

Planning Analytics Cartridge for Cloud Pak for Data 4.0 exposes sensitive information in logs which could lead an attacker to exploit this vulnerability to conduct further attacks. IBM X-Force ID: 247896.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26026"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-19T02:15:09Z",
    "severity": "HIGH"
  },
  "details": "Planning Analytics Cartridge for Cloud Pak for Data 4.0 exposes sensitive information in logs which could lead an attacker to exploit this vulnerability to conduct further attacks.  IBM X-Force ID:  247896.",
  "id": "GHSA-37r4-959h-qq8j",
  "modified": "2024-04-04T06:16:47Z",
  "published": "2023-07-19T03:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26026"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/247896"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6999351"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-37R8-9W7R-9875

Vulnerability from github – Published: 2023-10-06 00:30 – Updated: 2023-10-06 00:30
VLAI
Details

Sensitive information leak through log files. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 35739.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-45241"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-05T22:15:12Z",
    "severity": "MODERATE"
  },
  "details": "Sensitive information leak through log files. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 35739.",
  "id": "GHSA-37r8-9w7r-9875",
  "modified": "2023-10-06T00:30:21Z",
  "published": "2023-10-06T00:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45241"
    },
    {
      "type": "WEB",
      "url": "https://security-advisory.acronis.com/advisories/SEC-5999"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-38X7-CC6W-J27Q

Vulnerability from github – Published: 2025-01-14 15:23 – Updated: 2025-01-14 22:00
VLAI
Summary
TYPO3 Information Disclosure via Exception Handling/Logger
Details

Problem

It has been discovered that the install tool password has been logged as plaintext in case the password hashing mechanism used for the password was incorrect.

Solution

Update to TYPO3 versions 13.4.3 LTS that fixes the problem described.

Credits

Thanks to TYPO3 core & security team member Oliver Hader who reported and fixed the issue.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-install"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.4.2"
            },
            {
              "fixed": "13.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "13.4.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-55891"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-14T15:23:41Z",
    "nvd_published_at": "2025-01-14T20:15:28Z",
    "severity": "LOW"
  },
  "details": "### Problem\nIt has been discovered that the install tool password has been logged as plaintext in case the password hashing mechanism used for the password was incorrect.\n\n### Solution\nUpdate to TYPO3 versions 13.4.3 LTS that fixes the problem described.\n\n### Credits\nThanks to TYPO3 core \u0026 security team member Oliver Hader who reported and fixed the issue.\n\n### References\n* [TYPO3-CORE-SA-2025-001](https://typo3.org/security/advisory/typo3-core-sa-2025-001)\n",
  "id": "GHSA-38x7-cc6w-j27q",
  "modified": "2025-01-14T22:00:23Z",
  "published": "2025-01-14T15:23:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-38x7-cc6w-j27q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55891"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3-CMS/install/commit/baa8089b1baf5552fab213a5761081608b0afc51"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TYPO3-CMS/install"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "TYPO3 Information Disclosure via Exception Handling/Logger"
}

GHSA-39H8-M6RH-4934

Vulnerability from github – Published: 2023-02-13 03:30 – Updated: 2025-03-21 15:31
VLAI
Details

SUSHIRO App for Android outputs sensitive information to the log file, which may result in an attacker obtaining a credential information from the log file. Affected products/versions are as follows: SUSHIRO Ver.4.0.31, Thailand SUSHIRO Ver.1.0.0, Hong Kong SUSHIRO Ver.3.0.2, Singapore SUSHIRO Ver.2.0.0, and Taiwan SUSHIRO Ver.2.0.1

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22362"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-13T02:21:00Z",
    "severity": "HIGH"
  },
  "details": "SUSHIRO App for Android outputs sensitive information to the log file, which may result in an attacker obtaining a credential information from the log file. Affected products/versions are as follows: SUSHIRO Ver.4.0.31, Thailand SUSHIRO Ver.1.0.0, Hong Kong SUSHIRO Ver.3.0.2, Singapore SUSHIRO Ver.2.0.0, and Taiwan SUSHIRO Ver.2.0.1",
  "id": "GHSA-39h8-m6rh-4934",
  "modified": "2025-03-21T15:31:08Z",
  "published": "2023-02-13T03:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22362"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN84642320"
    },
    {
      "type": "WEB",
      "url": "https://play.google.com/store/apps/details?id=hk.co.akindo_sushiro.sushiroapp"
    },
    {
      "type": "WEB",
      "url": "https://play.google.com/store/apps/details?id=jp.co.akindo_sushiro.sushiroapp"
    },
    {
      "type": "WEB",
      "url": "https://play.google.com/store/apps/details?id=sg.co.akindo_sushiro.sushiroapp"
    },
    {
      "type": "WEB",
      "url": "https://play.google.com/store/apps/details?id=th.co.akindo_sushiro.sushiroapp"
    },
    {
      "type": "WEB",
      "url": "https://play.google.com/store/apps/details?id=tw.co.akindo_sushiro.sushiroapp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-39M5-RG2V-54H9

Vulnerability from github – Published: 2025-11-26 21:31 – Updated: 2026-03-30 15:31
VLAI
Details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with access to certain logs to obtain sensitive tokens under specific conditions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13611"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-26T20:15:49Z",
    "severity": "LOW"
  },
  "details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with access to certain logs to obtain sensitive tokens under specific conditions.",
  "id": "GHSA-39m5-rg2v-54h9",
  "modified": "2026-03-30T15:31:34Z",
  "published": "2025-11-26T21:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13611"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2025/11/26/patch-release-gitlab-18-6-1-released"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/545947"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-39PH-WR67-J4XQ

Vulnerability from github – Published: 2022-01-26 00:01 – Updated: 2026-02-27 20:17
VLAI
Summary
loguru logs sensitive information
Details

Insertion of Sensitive Information into Log File in Conda loguru prior to 0.5.3.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "loguru"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0338"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-03T16:37:17Z",
    "nvd_published_at": "2022-01-25T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of Sensitive Information into Log File in Conda loguru prior to 0.5.3.",
  "id": "GHSA-39ph-wr67-j4xq",
  "modified": "2026-02-27T20:17:55Z",
  "published": "2022-01-26T00:01:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0338"
    },
    {
      "type": "WEB",
      "url": "https://github.com/delgan/loguru/commit/ea39375e62f9b8f18e2ca798a5c0fb8c972b7eaa"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Delgan/loguru"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/loguru/PYSEC-2022-14.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/359bea50-2bc6-426a-b2f9-175d401b1ed0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "loguru logs sensitive information"
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.