CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1739 vulnerabilities reference this CWE, most recent first.
GHSA-36HQ-V2FC-RPQP
Vulnerability from github – Published: 2023-08-16 15:30 – Updated: 2023-08-16 21:13Jenkins Folders Plugin displays an error message when attempting to access the Scan Organization Folder Log if no logs are available.
In Folders Plugin 6.846.v23698686f0f6 and earlier, this error message includes the absolute path of a log file, exposing information about the Jenkins controller file system.
Folders Plugin 6.848.ve3b_fd7839a_81 does not display the absolute path of a log file in the error message.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:cloudbees-folder"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.848.ve3b"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-40338"
],
"database_specific": {
"cwe_ids": [
"CWE-209",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-16T21:13:57Z",
"nvd_published_at": "2023-08-16T15:15:11Z",
"severity": "MODERATE"
},
"details": "Jenkins Folders Plugin displays an error message when attempting to access the Scan Organization Folder Log if no logs are available.\n\nIn Folders Plugin 6.846.v23698686f0f6 and earlier, this error message includes the absolute path of a log file, exposing information about the Jenkins controller file system.\n\nFolders Plugin 6.848.ve3b_fd7839a_81 does not display the absolute path of a log file in the error message.",
"id": "GHSA-36hq-v2fc-rpqp",
"modified": "2023-08-16T21:13:57Z",
"published": "2023-08-16T15:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40338"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3109"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/08/16/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Folders Plugin information disclosure vulnerability"
}
GHSA-36M3-3RR8-QRQF
Vulnerability from github – Published: 2023-02-01 15:30 – Updated: 2023-02-08 21:30Dell PowerScale OneFS 9.0.0.x-9.4.0.x contain an insertion of sensitive information into log file vulnerability in cloudpool. A low privileged local attacker could potentially exploit this vulnerability, leading to sensitive information disclosure.
{
"affected": [],
"aliases": [
"CVE-2023-22573"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-01T14:15:00Z",
"severity": "MODERATE"
},
"details": "Dell PowerScale OneFS 9.0.0.x-9.4.0.x contain an insertion of sensitive information into log file vulnerability in cloudpool. A low privileged local attacker could potentially exploit this vulnerability, leading to sensitive information disclosure.",
"id": "GHSA-36m3-3rr8-qrqf",
"modified": "2023-02-08T21:30:19Z",
"published": "2023-02-01T15:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22573"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000207863/dell-powerscale-onefs-security-updates-for-multiple-security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-36V8-VQH8-C3XX
Vulnerability from github – Published: 2024-03-27 18:32 – Updated: 2024-03-27 21:30In Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, the software potentially exposes authentication tokens during the token validation process. This exposure happens when either Splunk Enterprise runs in debug mode or the JsonWebToken component has been configured to log its activity at the DEBUG logging level.
{
"affected": [],
"aliases": [
"CVE-2024-29945"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-27T17:15:54Z",
"severity": "HIGH"
},
"details": "In Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, the software potentially exposes authentication tokens during the token validation process. This exposure happens when either Splunk Enterprise runs in debug mode or the JsonWebToken component has been configured to log its activity at the DEBUG logging level.",
"id": "GHSA-36v8-vqh8-c3xx",
"modified": "2024-03-27T21:30:47Z",
"published": "2024-03-27T18:32:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29945"
},
{
"type": "WEB",
"url": "https://advisory.splunk.com/advisories/SVD-2024-0301"
},
{
"type": "WEB",
"url": "https://research.splunk.com/application/9a67e749-d291-40dd-8376-d422e7ecf8b5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-36XW-WJ35-W3Q4
Vulnerability from github – Published: 2026-06-11 21:31 – Updated: 2026-06-13 00:34A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data.
{
"affected": [],
"aliases": [
"CVE-2025-46313"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-11T19:16:34Z",
"severity": "MODERATE"
},
"details": "A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data.",
"id": "GHSA-36xw-wj35-w3q4",
"modified": "2026-06-13T00:34:30Z",
"published": "2026-06-11T21:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46313"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125634"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-37R4-959H-QQ8J
Vulnerability from github – Published: 2023-07-19 03:30 – Updated: 2024-04-04 06:16Planning Analytics Cartridge for Cloud Pak for Data 4.0 exposes sensitive information in logs which could lead an attacker to exploit this vulnerability to conduct further attacks. IBM X-Force ID: 247896.
{
"affected": [],
"aliases": [
"CVE-2023-26026"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-19T02:15:09Z",
"severity": "HIGH"
},
"details": "Planning Analytics Cartridge for Cloud Pak for Data 4.0 exposes sensitive information in logs which could lead an attacker to exploit this vulnerability to conduct further attacks. IBM X-Force ID: 247896.",
"id": "GHSA-37r4-959h-qq8j",
"modified": "2024-04-04T06:16:47Z",
"published": "2023-07-19T03:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26026"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/247896"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6999351"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-37R8-9W7R-9875
Vulnerability from github – Published: 2023-10-06 00:30 – Updated: 2023-10-06 00:30Sensitive information leak through log files. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 35739.
{
"affected": [],
"aliases": [
"CVE-2023-45241"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-05T22:15:12Z",
"severity": "MODERATE"
},
"details": "Sensitive information leak through log files. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 35739.",
"id": "GHSA-37r8-9w7r-9875",
"modified": "2023-10-06T00:30:21Z",
"published": "2023-10-06T00:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45241"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-5999"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-38X7-CC6W-J27Q
Vulnerability from github – Published: 2025-01-14 15:23 – Updated: 2025-01-14 22:00Problem
It has been discovered that the install tool password has been logged as plaintext in case the password hashing mechanism used for the password was incorrect.
Solution
Update to TYPO3 versions 13.4.3 LTS that fixes the problem described.
Credits
Thanks to TYPO3 core & security team member Oliver Hader who reported and fixed the issue.
References
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-install"
},
"ranges": [
{
"events": [
{
"introduced": "13.4.2"
},
{
"fixed": "13.4.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"13.4.2"
]
}
],
"aliases": [
"CVE-2024-55891"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-14T15:23:41Z",
"nvd_published_at": "2025-01-14T20:15:28Z",
"severity": "LOW"
},
"details": "### Problem\nIt has been discovered that the install tool password has been logged as plaintext in case the password hashing mechanism used for the password was incorrect.\n\n### Solution\nUpdate to TYPO3 versions 13.4.3 LTS that fixes the problem described.\n\n### Credits\nThanks to TYPO3 core \u0026 security team member Oliver Hader who reported and fixed the issue.\n\n### References\n* [TYPO3-CORE-SA-2025-001](https://typo3.org/security/advisory/typo3-core-sa-2025-001)\n",
"id": "GHSA-38x7-cc6w-j27q",
"modified": "2025-01-14T22:00:23Z",
"published": "2025-01-14T15:23:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-38x7-cc6w-j27q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55891"
},
{
"type": "WEB",
"url": "https://github.com/TYPO3-CMS/install/commit/baa8089b1baf5552fab213a5761081608b0afc51"
},
{
"type": "PACKAGE",
"url": "https://github.com/TYPO3-CMS/install"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-core-sa-2025-001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "TYPO3 Information Disclosure via Exception Handling/Logger"
}
GHSA-39H8-M6RH-4934
Vulnerability from github – Published: 2023-02-13 03:30 – Updated: 2025-03-21 15:31SUSHIRO App for Android outputs sensitive information to the log file, which may result in an attacker obtaining a credential information from the log file. Affected products/versions are as follows: SUSHIRO Ver.4.0.31, Thailand SUSHIRO Ver.1.0.0, Hong Kong SUSHIRO Ver.3.0.2, Singapore SUSHIRO Ver.2.0.0, and Taiwan SUSHIRO Ver.2.0.1
{
"affected": [],
"aliases": [
"CVE-2023-22362"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-13T02:21:00Z",
"severity": "HIGH"
},
"details": "SUSHIRO App for Android outputs sensitive information to the log file, which may result in an attacker obtaining a credential information from the log file. Affected products/versions are as follows: SUSHIRO Ver.4.0.31, Thailand SUSHIRO Ver.1.0.0, Hong Kong SUSHIRO Ver.3.0.2, Singapore SUSHIRO Ver.2.0.0, and Taiwan SUSHIRO Ver.2.0.1",
"id": "GHSA-39h8-m6rh-4934",
"modified": "2025-03-21T15:31:08Z",
"published": "2023-02-13T03:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22362"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN84642320"
},
{
"type": "WEB",
"url": "https://play.google.com/store/apps/details?id=hk.co.akindo_sushiro.sushiroapp"
},
{
"type": "WEB",
"url": "https://play.google.com/store/apps/details?id=jp.co.akindo_sushiro.sushiroapp"
},
{
"type": "WEB",
"url": "https://play.google.com/store/apps/details?id=sg.co.akindo_sushiro.sushiroapp"
},
{
"type": "WEB",
"url": "https://play.google.com/store/apps/details?id=th.co.akindo_sushiro.sushiroapp"
},
{
"type": "WEB",
"url": "https://play.google.com/store/apps/details?id=tw.co.akindo_sushiro.sushiroapp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-39M5-RG2V-54H9
Vulnerability from github – Published: 2025-11-26 21:31 – Updated: 2026-03-30 15:31GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with access to certain logs to obtain sensitive tokens under specific conditions.
{
"affected": [],
"aliases": [
"CVE-2025-13611"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-26T20:15:49Z",
"severity": "LOW"
},
"details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with access to certain logs to obtain sensitive tokens under specific conditions.",
"id": "GHSA-39m5-rg2v-54h9",
"modified": "2026-03-30T15:31:34Z",
"published": "2025-11-26T21:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13611"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2025/11/26/patch-release-gitlab-18-6-1-released"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/545947"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-39PH-WR67-J4XQ
Vulnerability from github – Published: 2022-01-26 00:01 – Updated: 2026-02-27 20:17Insertion of Sensitive Information into Log File in Conda loguru prior to 0.5.3.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "loguru"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0338"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-03T16:37:17Z",
"nvd_published_at": "2022-01-25T09:15:00Z",
"severity": "MODERATE"
},
"details": "Insertion of Sensitive Information into Log File in Conda loguru prior to 0.5.3.",
"id": "GHSA-39ph-wr67-j4xq",
"modified": "2026-02-27T20:17:55Z",
"published": "2022-01-26T00:01:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0338"
},
{
"type": "WEB",
"url": "https://github.com/delgan/loguru/commit/ea39375e62f9b8f18e2ca798a5c0fb8c972b7eaa"
},
{
"type": "PACKAGE",
"url": "https://github.com/Delgan/loguru"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/loguru/PYSEC-2022-14.yaml"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/359bea50-2bc6-426a-b2f9-175d401b1ed0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "loguru logs sensitive information"
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.