Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1739 vulnerabilities reference this CWE, most recent first.

GHSA-3M4Q-GGCJ-J6M4

Vulnerability from github – Published: 2026-05-28 18:30 – Updated: 2026-07-02 18:07
VLAI
Summary
Calico Inserts Sensitive Information into Log File
Details

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/projectcalico/calicoctl/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.31.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-6720"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T18:07:41Z",
    "nvd_published_at": "2026-05-28T17:16:33Z",
    "severity": "HIGH"
  },
  "details": "When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster \u2014 inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream \u2014 CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl \u2014 can extract these credentials with zero Kubernetes privilege. calicoctl\u0027s default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.",
  "id": "GHSA-3m4q-ggcj-j6m4",
  "modified": "2026-07-02T18:07:41Z",
  "published": "2026-05-28T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6720"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectcalico/calico/pull/12535"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectcalico/calico/pull/12536"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectcalico/calico/pull/12537"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectcalico/calico/commit/12908bb48a5bf8cbab5373f4d532509a30cf9b7f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectcalico/calico/commit/8d87eddcb5eb6efc70c09eb0a33d63137359ea70"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectcalico/calico/commit/ce3ab2b39b5841757cbccf7922c895c47827f562"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/projectcalico/calico"
    },
    {
      "type": "WEB",
      "url": "https://www.tigera.io/security-bulletins/tta-2026-003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Calico Inserts Sensitive Information into Log File"
}

GHSA-3M7Q-MM9C-3R6P

Vulnerability from github – Published: 2024-06-27 21:32 – Updated: 2024-06-27 21:32
VLAI
Details

VMware Cloud Director Object Storage Extension contains an Insertion of Sensitive Information vulnerability.

A malicious actor with adjacent access to web/proxy server logging may be able to obtain sensitive information from URLs that are logged.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22276"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-27T21:15:13Z",
    "severity": "MODERATE"
  },
  "details": "VMware Cloud Director Object Storage Extension contains an Insertion of Sensitive Information vulnerability.\n\n\nA malicious actor with adjacent access to \nweb/proxy server logging may be able to obtain sensitive information \nfrom URLs that are logged.",
  "id": "GHSA-3m7q-mm9c-3r6p",
  "modified": "2024-06-27T21:32:08Z",
  "published": "2024-06-27T21:32:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22276"
    },
    {
      "type": "WEB",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24372"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3M93-M4Q6-MC6V

Vulnerability from github – Published: 2020-02-26 19:54 – Updated: 2024-09-04 20:27
VLAI
Summary
Inclusion of Sensitive Information in Log Files and Improper Output Neutralization for Logs in Ansible
Details

Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0a1"
            },
            {
              "fixed": "2.7.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0a1"
            },
            {
              "fixed": "2.8.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0a1"
            },
            {
              "fixed": "2.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-14864"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-02-25T02:19:23Z",
    "nvd_published_at": "2020-01-02T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.",
  "id": "GHSA-3m93-m4q6-mc6v",
  "modified": "2024-09-04T20:27:06Z",
  "published": "2020-02-26T19:54:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14864"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/issues/63522"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/pull/63527"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/pull/64273"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/pull/64274"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/pull/64748"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/050f92f96054bf59e283fdec9972323c2ed00348"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/75288a89d0053d6df35c90863fb6c9542d89850e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/a0ec2976b2716cdecdd7a8f416d96406acd79b7c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/c76e074e4c71c7621a1ca8159261c1959b5287af"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-3m93-m4q6-mc6v"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-160.yaml"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4950"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Inclusion of Sensitive Information in Log Files and Improper Output Neutralization for Logs in Ansible"
}

GHSA-3P4X-R29J-9QQF

Vulnerability from github – Published: 2022-05-14 01:23 – Updated: 2022-05-14 01:23
VLAI
Details

An information disclosure vulnerability exists in the way Azure IoT Java SDK logs sensitive information, aka 'Azure IoT Java SDK Information Disclosure Vulnerability'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-0741"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-05T23:29:00Z",
    "severity": "HIGH"
  },
  "details": "An information disclosure vulnerability exists in the way Azure IoT Java SDK logs sensitive information, aka \u0027Azure IoT Java SDK Information Disclosure Vulnerability\u0027.",
  "id": "GHSA-3p4x-r29j-9qqf",
  "modified": "2022-05-14T01:23:16Z",
  "published": "2022-05-14T01:23:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0741"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0741"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106971"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3PHV-44JF-4V33

Vulnerability from github – Published: 2024-03-18 21:31 – Updated: 2025-03-14 03:31
VLAI
Details

Insecure permissions for log files of AVSystem Unified Management Platform (UMP) 23.07.0.16567~LTS allow members (with local access to the UMP application server) to access credentials to authenticate to all services, and to decrypt sensitive data stored in the database.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25654"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-18T20:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Insecure permissions for log files of AVSystem Unified Management Platform (UMP) 23.07.0.16567~LTS allow members (with local access to the UMP application server) to access credentials to authenticate to all services, and to decrypt sensitive data stored in the database.",
  "id": "GHSA-3phv-44jf-4v33",
  "modified": "2025-03-14T03:31:21Z",
  "published": "2024-03-18T21:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25654"
    },
    {
      "type": "WEB",
      "url": "https://www.cvcn.gov.it/cvcn/cve/CVE-2024-25654"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3PM4-MCQW-JQ89

Vulnerability from github – Published: 2026-02-25 03:30 – Updated: 2026-02-25 03:30
VLAI
Details

Information Exposure Vulnerability in Hitachi Ops Center API Configuration Manager, Hitachi Configuration Manager, Hitachi Device Manager allows Session Hijacking.This issue affects Hitachi Ops Center API Configuration Manager: from 10.0.0-00 before 11.0.5-00; Hitachi Configuration Manager: from 8.5.1-00 before 11.0.5-00; Hitachi Device Manager: from 8.4.1-00 before 8.6.5-00.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-5781"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-25T03:16:04Z",
    "severity": "MODERATE"
  },
  "details": "Information Exposure Vulnerability in Hitachi Ops Center API Configuration Manager, Hitachi Configuration Manager, Hitachi Device Manager allows Session Hijacking.This issue affects Hitachi Ops Center API Configuration Manager: from 10.0.0-00 before 11.0.5-00; Hitachi Configuration Manager: from 8.5.1-00 before 11.0.5-00; Hitachi Device Manager: from 8.4.1-00 before 8.6.5-00.",
  "id": "GHSA-3pm4-mcqw-jq89",
  "modified": "2026-02-25T03:30:58Z",
  "published": "2026-02-25T03:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5781"
    },
    {
      "type": "WEB",
      "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-111/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3Q48-CQGX-WJ5V

Vulnerability from github – Published: 2025-09-10 15:31 – Updated: 2025-09-10 15:31
VLAI
Details

Insertion of Sensitive Information into Log File (CWE-532) in the ARP Agent component in AxxonSoft Axxon One / AxxonNet 2.0.4 and earlier on Windows platforms allows a local attacker to obtain plaintext credentials via reading TRACE log files containing serialized JSON with passwords.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10221"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-10T13:15:35Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of Sensitive Information into Log File (CWE-532) in the ARP Agent component in AxxonSoft Axxon One / AxxonNet 2.0.4 and earlier on Windows platforms allows a local attacker to obtain plaintext credentials via reading TRACE log files containing serialized JSON with passwords.",
  "id": "GHSA-3q48-cqgx-wj5v",
  "modified": "2025-09-10T15:31:16Z",
  "published": "2025-09-10T15:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10221"
    },
    {
      "type": "WEB",
      "url": "https://www.axxonsoft.com/legal/axxonsoft-vulnerability-disclosure-policy/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-3Q58-8CH7-H333

Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-10-27 19:00
VLAI
Details

A flaw was found in noobaa-operator in versions before 5.7.0, where internal RPC AuthTokens between the noobaa operator and the noobaa core are leaked into log files. An attacker with access to the log files could use this AuthToken to gain additional access into noobaa deployment and can read/modify system configuration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3528"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-13T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A flaw was found in noobaa-operator in versions before 5.7.0, where internal RPC AuthTokens between the noobaa operator and the noobaa core are leaked into log files. An attacker with access to the log files could use this AuthToken to gain additional access into noobaa deployment and can read/modify system configuration.",
  "id": "GHSA-3q58-8ch7-h333",
  "modified": "2022-10-27T19:00:41Z",
  "published": "2022-05-24T19:02:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3528"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1955601"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3QG9-5CR6-VJMF

Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-05-13 01:10
VLAI
Details

Micro Focus Solutions Business Manager versions prior to 11.4 might reveal certain sensitive information in server log files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7683"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-21T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "Micro Focus Solutions Business Manager versions prior to 11.4 might reveal certain sensitive information in server log files.",
  "id": "GHSA-3qg9-5cr6-vjmf",
  "modified": "2022-05-13T01:10:58Z",
  "published": "2022-05-13T01:10:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7683"
    },
    {
      "type": "WEB",
      "url": "http://help.serena.com/doc_center/sbm/ver11_4/sbm_release_notes.htm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3QV3-F275-RCP7

Vulnerability from github – Published: 2024-06-03 12:30 – Updated: 2024-06-03 12:30
VLAI
Details

Insertion of Sensitive Information into Log File vulnerability in Lukman Nakib Debug Log – Manger Tool.This issue affects Debug Log – Manger Tool: from n/a through 1.4.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-34798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-03T11:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of Sensitive Information into Log File vulnerability in Lukman Nakib Debug Log \u2013 Manger Tool.This issue affects Debug Log \u2013 Manger Tool: from n/a through 1.4.5.",
  "id": "GHSA-3qv3-f275-rcp7",
  "modified": "2024-06-03T12:30:39Z",
  "published": "2024-06-03T12:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34798"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/debug-log-config-tool/wordpress-debug-log-manger-tool-plugin-1-4-5-sensitive-data-exposure-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.