Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1739 vulnerabilities reference this CWE, most recent first.

GHSA-5J89-95RH-FRFJ

Vulnerability from github – Published: 2023-07-06 21:14 – Updated: 2024-04-04 05:42
VLAI
Details

Mattermost Sever fails to redact the DB username and password before emitting an application log during server initialization. 

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2514"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-12T09:15:10Z",
    "severity": "HIGH"
  },
  "details": "Mattermost Sever fails to redact the DB username and password before emitting an application log during server initialization.\u00a0\n",
  "id": "GHSA-5j89-95rh-frfj",
  "modified": "2024-04-04T05:42:40Z",
  "published": "2023-07-06T21:14:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2514"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5JF9-W976-2JH9

Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-10-26 12:00
VLAI
Details

An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS configuration to the destination server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3037"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-20T04:15:00Z",
    "severity": "LOW"
  },
  "details": "An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS configuration to the destination server.",
  "id": "GHSA-5jf9-w976-2jh9",
  "modified": "2022-10-26T12:00:40Z",
  "published": "2022-05-24T17:47:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3037"
    },
    {
      "type": "WEB",
      "url": "https://security.paloaltonetworks.com/CVE-2021-3037"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5JFH-X25R-V632

Vulnerability from github – Published: 2022-05-14 01:44 – Updated: 2022-05-14 01:44
VLAI
Details

HashiCorp Vault before 1.0.0 writes the master key to the server log in certain unusual or misconfigured scenarios in which incorrect data comes from the autoseal mechanism without an error being reported.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-19786"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-05T09:29:00Z",
    "severity": "HIGH"
  },
  "details": "HashiCorp Vault before 1.0.0 writes the master key to the server log in certain unusual or misconfigured scenarios in which incorrect data comes from the autoseal mechanism without an error being reported.",
  "id": "GHSA-5jfh-x25r-v632",
  "modified": "2022-05-14T01:44:59Z",
  "published": "2022-05-14T01:44:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19786"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#100-december-3rd-2018"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5MPF-HW8F-86W9

Vulnerability from github – Published: 2022-03-16 00:00 – Updated: 2022-11-30 20:44
VLAI
Summary
Sensitive parameter values captured in build metadata files by Jenkins Parameterized Trigger Plugin
Details

Jenkins Parameterized Trigger Plugin 2.43 and earlier captures environment variables passed to builds triggered using Jenkins Parameterized Trigger Plugin, including password parameter values, in their build.xml files. These values are stored unencrypted and can be viewed by users with access to the Jenkins controller file system.

Existing build.xml files are not automatically updated to remove captured environment variables. They need to be manually cleaned up. To help with this, the plugin will report environment variables stored in build.xml as unloadable data in the Old Data Monitor, that allows discarding this data. Build records are only loaded from disk when needed however, so some builds stored in Jenkins may not immediately appear there.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:parameterized-trigger"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.43.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-27195"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-30T20:44:33Z",
    "nvd_published_at": "2022-03-15T17:15:00Z",
    "severity": "LOW"
  },
  "details": "Jenkins Parameterized Trigger Plugin 2.43 and earlier captures environment variables passed to builds triggered using Jenkins Parameterized Trigger Plugin, including password parameter values, in their `build.xml` files. These values are stored unencrypted and can be viewed by users with access to the Jenkins controller file system.\n\nExisting `build.xml` files are not automatically updated to remove captured environment variables. They need to be manually cleaned up. To help with this, the plugin will report environment variables stored in `build.xml` as unloadable data in the Old Data Monitor, that allows discarding this data. Build records are only loaded from disk when needed however, so some builds stored in Jenkins may not immediately appear there.",
  "id": "GHSA-5mpf-hw8f-86w9",
  "modified": "2022-11-30T20:44:33Z",
  "published": "2022-03-16T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27195"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/parameterized-trigger-plugin/commit/6b7cd2272cbd9f97416bff7ea19132b9aad0898d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/parameterized-trigger-plugin/commit/b5ec2b48df3c4f7b4999c4edf137b34fbea694fd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/parameterized-trigger-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2185"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/03/15/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sensitive parameter values captured in build metadata files by Jenkins Parameterized Trigger Plugin"
}

GHSA-5MPV-CWQV-8722

Vulnerability from github – Published: 2022-05-13 01:05 – Updated: 2022-05-13 01:05
VLAI
Details

The destroy_one_secret function in nm-setting-vpn.c in libnm-util in the NetworkManager package 0.8.999-3.git20110526 in Fedora 15 creates a log entry containing a certificate password, which allows local users to obtain sensitive information by reading a log file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-1943"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-06-14T17:55:00Z",
    "severity": "LOW"
  },
  "details": "The destroy_one_secret function in nm-setting-vpn.c in libnm-util in the NetworkManager package 0.8.999-3.git20110526 in Fedora 15 creates a log entry containing a certificate password, which allows local users to obtain sensitive information by reading a log file.",
  "id": "GHSA-5mpv-cwqv-8722",
  "modified": "2022-05-13T01:05:23Z",
  "published": "2022-05-13T01:05:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1943"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=708876"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/68057"
    },
    {
      "type": "WEB",
      "url": "http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=78ce088843d59d4494965bfc40b30a2e63d065f6"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061329.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2011/05/31/6"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2011/05/31/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5P63-2CWC-2X43

Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30
VLAI
Details

Insertion of Sensitive Information into Log File (CWE-532) in some Command Centre Service installers could lead to Service Account credentials exposure.  Mitigating Factor: Only sites that install Command Centre Services with a custom Service Account (not the default Network Service account) are potentially impacted.

Mitigation: For sites concerned about exposure, the recommended action is to change the Service Account password. They can also delete any installer log files, usually found in %programdata%\Gallagher\Command Centre.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25193"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-25T07:16:14Z",
    "severity": "HIGH"
  },
  "details": "Insertion of Sensitive Information into Log File (CWE-532)\u00a0in some Command Centre Service installers could lead to Service Account credentials exposure.\u202f\nMitigating Factor:\u00a0Only sites that install Command Centre Services with a custom Service Account (not the default Network Service account) are potentially impacted.\n\nMitigation:\u00a0For sites concerned about exposure, the recommended action is to change the Service Account password. They can also delete any installer log files, usually found in %programdata%\\Gallagher\\Command Centre.",
  "id": "GHSA-5p63-2cwc-2x43",
  "modified": "2026-05-26T13:30:39Z",
  "published": "2026-05-26T13:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25193"
    },
    {
      "type": "WEB",
      "url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-25193"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5Q4M-VWW4-2RHM

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:09
VLAI
Details

Under certain conditions, SAP Landscape Management enterprise edition, before version 3.0, allows custom secure parameters? default values to be part of the application logs leading to Information Disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-0380"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-08T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Under certain conditions, SAP Landscape Management enterprise edition, before version 3.0, allows custom secure parameters? default values to be part of the application logs leading to Information Disclosure.",
  "id": "GHSA-5q4m-vww4-2rhm",
  "modified": "2024-04-04T02:09:42Z",
  "published": "2022-05-24T16:57:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0380"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/2828682"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5Q93-M8W2-XMP8

Vulnerability from github – Published: 2025-03-27 00:31 – Updated: 2025-07-21 21:31
VLAI
Details

In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a search using the permissions of a higher-privileged user that could lead to disclosure of sensitive information.

The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated low-privileged user should not be able to exploit the vulnerability at will.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20231"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-26T22:15:15Z",
    "severity": "HIGH"
  },
  "details": "In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the \u201cadmin\u201c or \u201cpower\u201c Splunk roles could run a search using the permissions of a higher-privileged user that could lead to disclosure of sensitive information.\u003cbr\u003e\u003cbr\u003eThe vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated low-privileged user should not be able to exploit the vulnerability at will.",
  "id": "GHSA-5q93-m8w2-xmp8",
  "modified": "2025-07-21T21:31:27Z",
  "published": "2025-03-27T00:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20231"
    },
    {
      "type": "WEB",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0302"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5QP4-PV6P-8GCX

Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30
VLAI
Details

Insertion of sensitive information into log file vulnerability in syslink software AG Avantra on Linux, Windows allows Resource Leak Exposure.

This issue affects Avantra: before 25.3.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8671"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-22T14:16:29Z",
    "severity": "HIGH"
  },
  "details": "Insertion of sensitive information into log file vulnerability in syslink software AG Avantra on Linux, Windows allows Resource Leak Exposure.\n\nThis issue affects Avantra: before 25.3.0.",
  "id": "GHSA-5qp4-pv6p-8gcx",
  "modified": "2026-05-26T13:30:17Z",
  "published": "2026-05-26T13:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8671"
    },
    {
      "type": "WEB",
      "url": "https://support.avantra.com/hc/en-us/articles/5535487249183"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5RC7-2JJ6-MP64

Vulnerability from github – Published: 2026-02-26 20:00 – Updated: 2026-02-26 20:00
VLAI
Summary
Terraform Provider for Linode Debug Logs Vulnerable to Sensitive Information Exposure
Details

Impact

The Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, object storage data, and NodeBalancer TLS keys in debug logs without redaction.

Important: Provider debug logging is not enabled by default.
This issue is exposed when debug/provider logs are explicitly enabled (for example in local troubleshooting, CI/CD jobs, or centralized log collection). If enabled, sensitive values may be written to logs and then retained, shared, or exported beyond the original execution environment.

Specifically: - Instance creation operations logged the full InstanceCreateOptions struct containing RootPass and StackScriptData - Instance disk creation logged InstanceDiskCreateOptions containing RootPass and StackscriptData - StackScript update operations logged the complete script content via StackscriptUpdateOptions.Script - Image share group member creation logged tokens in ImageShareGroupAddMemberOptions.Token - Object storage operations logged full PutObjectInput structures containing user data - NodeBalancer config create and update operations logged NodeBalancerConfigCreateOptions and NodeBalancerConfigUpdateOptions containing the SSLKey (TLS private key)

An authenticated user with access to provider debug logs (through log aggregation systems, CI/CD pipelines, or debug output) would thus be able to extract these sensitive credentials.

Patches

Update to version v3.9.0 or later, which sanitizes debug logs by logging only non-sensitive metadata such as labels, regions, and resource IDs while redacting credentials, tokens, keys, scripts, and other sensitive content.

Workarounds and Mitigations

  • Disable Terraform/provider debug logging or set it to WARN level or above
  • To disable the logging, you can unset TF_LOG_PROVIDER and TF_LOG environment variables
  • Or you can set them to WARN or ERROR levels to avoid sensitive information logged in INFO and DEBUG levels.
  • See Terraform docs for details: https://developer.hashicorp.com/terraform/internals/debugging
  • Restrict access to existing and historical logs
  • Purge/retention-trim logs that may contain sensitive values
  • Rotate potentially exposed secrets/credentials, including:
  • Root passwords
  • Image share group tokens
  • TLS private keys/certificates used in NodeBalancer configs
  • StackScript content/secrets if embedded

Credits

This issue was reported to Terraform by Hasan Sheet via Akamai's HackerOne Bug Bounty program.

Resources

https://github.com/linode/terraform-provider-linode/releases/tag/v3.9.0 https://github.com/linode/terraform-provider-linode/pull/2269 https://github.com/linode/terraform-provider-linode/commit/43a925d826b999f0355de3dc7330c55f496824c0

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/linode/terraform-provider-linode/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/linode/terraform-provider-linode/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.41.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/linode/terraform-provider-linode"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.30.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-26T20:00:12Z",
    "nvd_published_at": "2026-02-26T02:16:20Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, object storage data, and NodeBalancer TLS keys in debug logs without redaction.\n\n**Important:** Provider debug logging is **not enabled by default**.  \nThis issue is exposed when debug/provider logs are explicitly enabled (for example in local troubleshooting, CI/CD jobs, or centralized log collection). If enabled, sensitive values may be written to logs and then retained, shared, or exported beyond the original execution environment.\n\nSpecifically:\n- Instance creation operations logged the full InstanceCreateOptions struct containing RootPass and StackScriptData\n- Instance disk creation logged InstanceDiskCreateOptions containing RootPass and StackscriptData\n- StackScript update operations logged the complete script content via StackscriptUpdateOptions.Script\n- Image share group member creation logged tokens in ImageShareGroupAddMemberOptions.Token\n- Object storage operations logged full PutObjectInput structures containing user data\n- NodeBalancer config create and update operations logged NodeBalancerConfigCreateOptions and NodeBalancerConfigUpdateOptions containing the SSLKey (TLS private key)\n\nAn authenticated user with access to provider debug logs (through log aggregation systems, CI/CD pipelines, or debug output) would thus be able to extract these sensitive credentials.\n\n### Patches\nUpdate to version v3.9.0 or later, which sanitizes debug logs by logging only non-sensitive metadata such as labels, regions, and resource IDs while redacting credentials, tokens, keys, scripts, and other sensitive content.\n\n### Workarounds and Mitigations\n- Disable Terraform/provider debug logging or set it to `WARN` level or above\n  - To disable the logging, you can unset `TF_LOG_PROVIDER` and `TF_LOG` environment variables\n  - Or you can set them to `WARN` or `ERROR` levels to avoid sensitive information logged in `INFO` and `DEBUG` levels.\n  - See Terraform docs for details: https://developer.hashicorp.com/terraform/internals/debugging\n- Restrict access to existing and historical logs\n- Purge/retention-trim logs that may contain sensitive values\n- Rotate potentially exposed secrets/credentials, including:\n  - Root passwords\n  - Image share group tokens\n  - TLS private keys/certificates used in NodeBalancer configs\n  - StackScript content/secrets if embedded\n\n### Credits\nThis issue was reported to Terraform by Hasan Sheet via [Akamai\u0027s HackerOne Bug Bounty program](https://hackerone.com/akamai).\n\n### Resources\nhttps://github.com/linode/terraform-provider-linode/releases/tag/v3.9.0\nhttps://github.com/linode/terraform-provider-linode/pull/2269\nhttps://github.com/linode/terraform-provider-linode/commit/43a925d826b999f0355de3dc7330c55f496824c0",
  "id": "GHSA-5rc7-2jj6-mp64",
  "modified": "2026-02-26T20:00:12Z",
  "published": "2026-02-26T20:00:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/linode/terraform-provider-linode/security/advisories/GHSA-5rc7-2jj6-mp64"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27900"
    },
    {
      "type": "WEB",
      "url": "https://github.com/linode/terraform-provider-linode/pull/2269"
    },
    {
      "type": "WEB",
      "url": "https://github.com/linode/terraform-provider-linode/commit/43a925d826b999f0355de3dc7330c55f496824c0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/linode/terraform-provider-linode"
    },
    {
      "type": "WEB",
      "url": "https://github.com/linode/terraform-provider-linode/releases/tag/v3.9.0"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/02/26/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Terraform Provider  for Linode Debug Logs Vulnerable to Sensitive Information Exposure"
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.