CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1739 vulnerabilities reference this CWE, most recent first.
GHSA-3M4Q-GGCJ-J6M4
Vulnerability from github – Published: 2026-05-28 18:30 – Updated: 2026-07-02 18:07When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/projectcalico/calicoctl/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.31.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-6720"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T18:07:41Z",
"nvd_published_at": "2026-05-28T17:16:33Z",
"severity": "HIGH"
},
"details": "When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster \u2014 inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream \u2014 CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl \u2014 can extract these credentials with zero Kubernetes privilege. calicoctl\u0027s default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.",
"id": "GHSA-3m4q-ggcj-j6m4",
"modified": "2026-07-02T18:07:41Z",
"published": "2026-05-28T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6720"
},
{
"type": "WEB",
"url": "https://github.com/projectcalico/calico/pull/12535"
},
{
"type": "WEB",
"url": "https://github.com/projectcalico/calico/pull/12536"
},
{
"type": "WEB",
"url": "https://github.com/projectcalico/calico/pull/12537"
},
{
"type": "WEB",
"url": "https://github.com/projectcalico/calico/commit/12908bb48a5bf8cbab5373f4d532509a30cf9b7f"
},
{
"type": "WEB",
"url": "https://github.com/projectcalico/calico/commit/8d87eddcb5eb6efc70c09eb0a33d63137359ea70"
},
{
"type": "WEB",
"url": "https://github.com/projectcalico/calico/commit/ce3ab2b39b5841757cbccf7922c895c47827f562"
},
{
"type": "PACKAGE",
"url": "https://github.com/projectcalico/calico"
},
{
"type": "WEB",
"url": "https://www.tigera.io/security-bulletins/tta-2026-003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Calico Inserts Sensitive Information into Log File"
}
GHSA-3M7Q-MM9C-3R6P
Vulnerability from github – Published: 2024-06-27 21:32 – Updated: 2024-06-27 21:32VMware Cloud Director Object Storage Extension contains an Insertion of Sensitive Information vulnerability.
A malicious actor with adjacent access to web/proxy server logging may be able to obtain sensitive information from URLs that are logged.
{
"affected": [],
"aliases": [
"CVE-2024-22276"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-27T21:15:13Z",
"severity": "MODERATE"
},
"details": "VMware Cloud Director Object Storage Extension contains an Insertion of Sensitive Information vulnerability.\n\n\nA malicious actor with adjacent access to \nweb/proxy server logging may be able to obtain sensitive information \nfrom URLs that are logged.",
"id": "GHSA-3m7q-mm9c-3r6p",
"modified": "2024-06-27T21:32:08Z",
"published": "2024-06-27T21:32:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22276"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24372"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3M93-M4Q6-MC6V
Vulnerability from github – Published: 2020-02-26 19:54 – Updated: 2024-09-04 20:27Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0a1"
},
{
"fixed": "2.7.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0a1"
},
{
"fixed": "2.8.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0a1"
},
{
"fixed": "2.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-14864"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2020-02-25T02:19:23Z",
"nvd_published_at": "2020-01-02T15:15:00Z",
"severity": "MODERATE"
},
"details": "Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.",
"id": "GHSA-3m93-m4q6-mc6v",
"modified": "2024-09-04T20:27:06Z",
"published": "2020-02-26T19:54:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14864"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/issues/63522"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/pull/63527"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/pull/64273"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/pull/64274"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/pull/64748"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/050f92f96054bf59e283fdec9972323c2ed00348"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/75288a89d0053d6df35c90863fb6c9542d89850e"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/a0ec2976b2716cdecdd7a8f416d96406acd79b7c"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/c76e074e4c71c7621a1ca8159261c1959b5287af"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-3m93-m4q6-mc6v"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansible/ansible"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-160.yaml"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4950"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Inclusion of Sensitive Information in Log Files and Improper Output Neutralization for Logs in Ansible"
}
GHSA-3P4X-R29J-9QQF
Vulnerability from github – Published: 2022-05-14 01:23 – Updated: 2022-05-14 01:23An information disclosure vulnerability exists in the way Azure IoT Java SDK logs sensitive information, aka 'Azure IoT Java SDK Information Disclosure Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2019-0741"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-05T23:29:00Z",
"severity": "HIGH"
},
"details": "An information disclosure vulnerability exists in the way Azure IoT Java SDK logs sensitive information, aka \u0027Azure IoT Java SDK Information Disclosure Vulnerability\u0027.",
"id": "GHSA-3p4x-r29j-9qqf",
"modified": "2022-05-14T01:23:16Z",
"published": "2022-05-14T01:23:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0741"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0741"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106971"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3PHV-44JF-4V33
Vulnerability from github – Published: 2024-03-18 21:31 – Updated: 2025-03-14 03:31Insecure permissions for log files of AVSystem Unified Management Platform (UMP) 23.07.0.16567~LTS allow members (with local access to the UMP application server) to access credentials to authenticate to all services, and to decrypt sensitive data stored in the database.
{
"affected": [],
"aliases": [
"CVE-2024-25654"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-18T20:15:08Z",
"severity": "MODERATE"
},
"details": "Insecure permissions for log files of AVSystem Unified Management Platform (UMP) 23.07.0.16567~LTS allow members (with local access to the UMP application server) to access credentials to authenticate to all services, and to decrypt sensitive data stored in the database.",
"id": "GHSA-3phv-44jf-4v33",
"modified": "2025-03-14T03:31:21Z",
"published": "2024-03-18T21:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25654"
},
{
"type": "WEB",
"url": "https://www.cvcn.gov.it/cvcn/cve/CVE-2024-25654"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3PM4-MCQW-JQ89
Vulnerability from github – Published: 2026-02-25 03:30 – Updated: 2026-02-25 03:30Information Exposure Vulnerability in Hitachi Ops Center API Configuration Manager, Hitachi Configuration Manager, Hitachi Device Manager allows Session Hijacking.This issue affects Hitachi Ops Center API Configuration Manager: from 10.0.0-00 before 11.0.5-00; Hitachi Configuration Manager: from 8.5.1-00 before 11.0.5-00; Hitachi Device Manager: from 8.4.1-00 before 8.6.5-00.
{
"affected": [],
"aliases": [
"CVE-2025-5781"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-25T03:16:04Z",
"severity": "MODERATE"
},
"details": "Information Exposure Vulnerability in Hitachi Ops Center API Configuration Manager, Hitachi Configuration Manager, Hitachi Device Manager allows Session Hijacking.This issue affects Hitachi Ops Center API Configuration Manager: from 10.0.0-00 before 11.0.5-00; Hitachi Configuration Manager: from 8.5.1-00 before 11.0.5-00; Hitachi Device Manager: from 8.4.1-00 before 8.6.5-00.",
"id": "GHSA-3pm4-mcqw-jq89",
"modified": "2026-02-25T03:30:58Z",
"published": "2026-02-25T03:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5781"
},
{
"type": "WEB",
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-111/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3Q48-CQGX-WJ5V
Vulnerability from github – Published: 2025-09-10 15:31 – Updated: 2025-09-10 15:31Insertion of Sensitive Information into Log File (CWE-532) in the ARP Agent component in AxxonSoft Axxon One / AxxonNet 2.0.4 and earlier on Windows platforms allows a local attacker to obtain plaintext credentials via reading TRACE log files containing serialized JSON with passwords.
{
"affected": [],
"aliases": [
"CVE-2025-10221"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-10T13:15:35Z",
"severity": "MODERATE"
},
"details": "Insertion of Sensitive Information into Log File (CWE-532) in the ARP Agent component in AxxonSoft Axxon One / AxxonNet 2.0.4 and earlier on Windows platforms allows a local attacker to obtain plaintext credentials via reading TRACE log files containing serialized JSON with passwords.",
"id": "GHSA-3q48-cqgx-wj5v",
"modified": "2025-09-10T15:31:16Z",
"published": "2025-09-10T15:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10221"
},
{
"type": "WEB",
"url": "https://www.axxonsoft.com/legal/axxonsoft-vulnerability-disclosure-policy/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3Q58-8CH7-H333
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-10-27 19:00A flaw was found in noobaa-operator in versions before 5.7.0, where internal RPC AuthTokens between the noobaa operator and the noobaa core are leaked into log files. An attacker with access to the log files could use this AuthToken to gain additional access into noobaa deployment and can read/modify system configuration.
{
"affected": [],
"aliases": [
"CVE-2021-3528"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-13T15:15:00Z",
"severity": "CRITICAL"
},
"details": "A flaw was found in noobaa-operator in versions before 5.7.0, where internal RPC AuthTokens between the noobaa operator and the noobaa core are leaked into log files. An attacker with access to the log files could use this AuthToken to gain additional access into noobaa deployment and can read/modify system configuration.",
"id": "GHSA-3q58-8ch7-h333",
"modified": "2022-10-27T19:00:41Z",
"published": "2022-05-24T19:02:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3528"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1955601"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3QG9-5CR6-VJMF
Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-05-13 01:10Micro Focus Solutions Business Manager versions prior to 11.4 might reveal certain sensitive information in server log files.
{
"affected": [],
"aliases": [
"CVE-2018-7683"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-21T19:29:00Z",
"severity": "HIGH"
},
"details": "Micro Focus Solutions Business Manager versions prior to 11.4 might reveal certain sensitive information in server log files.",
"id": "GHSA-3qg9-5cr6-vjmf",
"modified": "2022-05-13T01:10:58Z",
"published": "2022-05-13T01:10:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7683"
},
{
"type": "WEB",
"url": "http://help.serena.com/doc_center/sbm/ver11_4/sbm_release_notes.htm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3QV3-F275-RCP7
Vulnerability from github – Published: 2024-06-03 12:30 – Updated: 2024-06-03 12:30Insertion of Sensitive Information into Log File vulnerability in Lukman Nakib Debug Log – Manger Tool.This issue affects Debug Log – Manger Tool: from n/a through 1.4.5.
{
"affected": [],
"aliases": [
"CVE-2024-34798"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-03T11:15:10Z",
"severity": "MODERATE"
},
"details": "Insertion of Sensitive Information into Log File vulnerability in Lukman Nakib Debug Log \u2013 Manger Tool.This issue affects Debug Log \u2013 Manger Tool: from n/a through 1.4.5.",
"id": "GHSA-3qv3-f275-rcp7",
"modified": "2024-06-03T12:30:39Z",
"published": "2024-06-03T12:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34798"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/debug-log-config-tool/wordpress-debug-log-manger-tool-plugin-1-4-5-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.