CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1738 vulnerabilities reference this CWE, most recent first.
GHSA-5XFG-WV98-264M
Vulnerability from github – Published: 2024-04-24 20:02 – Updated: 2024-04-24 20:02In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/kubernetes/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-8563"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-24T20:02:20Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager\u0027s log. This affects \u003c v1.19.3.",
"id": "GHSA-5xfg-wv98-264m",
"modified": "2024-04-24T20:02:21Z",
"published": "2024-04-24T20:02:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8563"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/95621"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/pull/95236"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/pull/95236/commits/247f6dd09299bc7893c1e0affea11c0255025b96"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1886635"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes/kubernetes"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210122-0006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Sensitive Information leak via Log File in Kubernetes"
}
GHSA-635V-PC42-FR74
Vulnerability from github – Published: 2024-09-11 19:20 – Updated: 2024-09-11 19:20Description
For SageMaker Training Toolkit[1] versions 4.7.4; 4.7.3; 4.7.2; 4.7.1; 4.7.0, the authorization tokens for CodeArtifact (temporary token with an expiration of 12 hours) were logged in the log files when the CodeArtifact capability was enabled. If customers push these log files to their CloudWatch Log streams, anyone having access to cloudwatch logs within their AWS account, may be abe to see the authorization token. If the token is not expired, they may use the authorization token to publish or consume CodeArtifact package versions.
This issue was addressed in version 4.8.0. We recommend users upgrade to version 4.8.0 or higher.
Please note that users can add SageMaker Training Toolkit to any Docker container[2] used for SageMaker training[3]. It also comes pre-packaged with the prebuilt SageMaker Docker image[4] for SageMaker training.
Patches
This issue has been addressed in version 4.8.0 and higher.
Workarounds
N/A
References
N/A
If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page[5] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
[1] https://github.com/aws/sagemaker-training-toolkit [2] https://www.docker.com/resources/what-container/ [3] https://aws.amazon.com/sagemaker/train/ [4] https://docs.aws.amazon.com/sagemaker/latest/dg/pre-built-containers-frameworks-deep-learning.html [5] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "sagemaker-training"
},
"ranges": [
{
"events": [
{
"introduced": "4.7.0"
},
{
"fixed": "4.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-11T19:20:42Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Description\nFor SageMaker Training Toolkit[1] versions 4.7.4; 4.7.3; 4.7.2; 4.7.1; 4.7.0, the authorization tokens for CodeArtifact (temporary token with an expiration of 12 hours) were logged in the log files when the CodeArtifact capability was enabled. If customers push these log files to their CloudWatch Log streams, anyone having access to cloudwatch logs within their AWS account, may be abe to see the authorization token. If the token is not expired, they may use the authorization token to publish or consume CodeArtifact package versions.\n\nThis issue was addressed in version 4.8.0. We recommend users upgrade to version 4.8.0 or higher. \n\nPlease note that users can add SageMaker Training Toolkit to any Docker container[2] used for SageMaker training[3]. It also comes pre-packaged with the prebuilt SageMaker Docker image[4] for SageMaker training. \n\n## Patches\nThis issue has been addressed in version 4.8.0 and higher.\n\n## Workarounds\nN/A\n\n## References\nN/A\n\nIf you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page[5] or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.\n\n[1] https://github.com/aws/sagemaker-training-toolkit\n[2] https://www.docker.com/resources/what-container/\n[3] https://aws.amazon.com/sagemaker/train/\n[4] https://docs.aws.amazon.com/sagemaker/latest/dg/pre-built-containers-frameworks-deep-learning.html\n[5] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting",
"id": "GHSA-635v-pc42-fr74",
"modified": "2024-09-11T19:20:42Z",
"published": "2024-09-11T19:20:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aws/sagemaker-training-toolkit/security/advisories/GHSA-635v-pc42-fr74"
},
{
"type": "WEB",
"url": "https://github.com/aws/sagemaker-training-toolkit/commit/d8e56c90fa7fcc7421c0f7193bf9650fc2967213"
},
{
"type": "PACKAGE",
"url": "https://github.com/aws/sagemaker-training-toolkit"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "AWS SageMaker Training Toolkit logs CodeArtifact Authorization token"
}
GHSA-636W-X3WJ-WJ9P
Vulnerability from github – Published: 2022-11-18 21:30 – Updated: 2025-04-30 15:30Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb database.
{
"affected": [],
"aliases": [
"CVE-2022-43673"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-18T20:15:00Z",
"severity": "MODERATE"
},
"details": "Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\\Roaming\\Wire\\IndexedDB\\https_app.wire.com_0.indexeddb.leveldb database.",
"id": "GHSA-636w-x3wj-wj9p",
"modified": "2025-04-30T15:30:40Z",
"published": "2022-11-18T21:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43673"
},
{
"type": "WEB",
"url": "https://wire.com"
},
{
"type": "WEB",
"url": "https://www.secuvera.de/advisories/secuvera-SA-2022-01.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6393-6W3W-9W86
Vulnerability from github – Published: 2024-04-29 09:31 – Updated: 2026-04-28 21:35Insertion of Sensitive Information into Log File vulnerability in Solid Plugins Solid Affiliate.This issue affects Solid Affiliate: from n/a through 1.9.1.
{
"affected": [],
"aliases": [
"CVE-2024-33637"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-29T08:15:08Z",
"severity": "HIGH"
},
"details": "Insertion of Sensitive Information into Log File vulnerability in Solid Plugins Solid Affiliate.This issue affects Solid Affiliate: from n/a through 1.9.1.",
"id": "GHSA-6393-6w3w-9w86",
"modified": "2026-04-28T21:35:00Z",
"published": "2024-04-29T09:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33637"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/solid-affiliate/wordpress-solid-affiliate-plugin-1-9-1-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-63PJ-8C5P-X939
Vulnerability from github – Published: 2025-04-29 15:31 – Updated: 2025-04-29 18:30A vulnerability existed in Firefox for Android where potentially sensitive library locations were logged via Logcat. This vulnerability affects Firefox < 138 and Thunderbird < 138.
{
"affected": [],
"aliases": [
"CVE-2025-4090"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-29T14:15:35Z",
"severity": "MODERATE"
},
"details": "A vulnerability existed in Firefox for Android where potentially sensitive library locations were logged via Logcat. This vulnerability affects Firefox \u003c 138 and Thunderbird \u003c 138.",
"id": "GHSA-63pj-8c5p-x939",
"modified": "2025-04-29T18:30:58Z",
"published": "2025-04-29T15:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4090"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1929478"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-28"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-31"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6489-3C6F-G4G6
Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2024-04-03 23:59CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
{
"affected": [],
"aliases": [
"CVE-2014-3536"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-15T22:15:00Z",
"severity": "MODERATE"
},
"details": "CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration",
"id": "GHSA-6489-3c6f-g4g6",
"modified": "2024-04-03T23:59:46Z",
"published": "2022-05-17T19:57:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3536"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2014-3536"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3536"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-64QM-6FCC-V9X3
Vulnerability from github – Published: 2023-07-20 18:33 – Updated: 2024-04-04 06:17Dell Wyse ThinOS versions prior to 2208 (9.3.2102) contain a sensitive information disclosure vulnerability. An unauthenticated malicious user with local access to the device could exploit this vulnerability to read sensitive information written to the log files.
{
"affected": [],
"aliases": [
"CVE-2023-32455"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-20T13:15:11Z",
"severity": "MODERATE"
},
"details": "\nDell Wyse ThinOS versions prior to 2208 (9.3.2102) contain a sensitive information disclosure vulnerability. An unauthenticated malicious user with local access to the device could exploit this vulnerability to read sensitive information written to the log files.\n\n",
"id": "GHSA-64qm-6fcc-v9x3",
"modified": "2024-04-04T06:17:44Z",
"published": "2023-07-20T18:33:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32455"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000215864/dsa-2023-247"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-65G2-X53Q-CMF6
Vulnerability from github – Published: 2023-04-24 22:44 – Updated: 2023-04-24 22:44Summary
Kitchen-Terraform v7.0.0 introduced a regression which caused all Terraform output values, including sensitive values, to be printed at the info logging level during the kitchen converge action. Prior to v7.0.0, the output values were printed at the debug level to avoid writing sensitive values to the terminal by default.
Original Report
@brettcurtis:
Hopefully, I'm not doing something stupid here, but I'm seeing sensitive outputs printed in the kitchen output. You can check this action for an example: https://github.com/osinfra-io/terraform-google-project/actions/runs/4700065515/jobs/8334277309#step:5:215
It's not really a sensitive value just used it as an example.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "kitchen-terraform"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-30618"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-24T22:44:38Z",
"nvd_published_at": "2023-04-21T20:15:07Z",
"severity": "LOW"
},
"details": "### Summary\n\nKitchen-Terraform v7.0.0 introduced a regression which caused all Terraform output values, including sensitive values, to be printed at the `info` logging level during the `kitchen converge` action. Prior to v7.0.0, the output values were printed at the `debug` level to avoid writing sensitive values to the terminal by default.\n\n### Original Report\n\n@brettcurtis:\n\u003e Hopefully, I\u0027m not doing something stupid here, but I\u0027m seeing sensitive outputs printed in the kitchen output. You can check this action for an example: https://github.com/osinfra-io/terraform-google-project/actions/runs/4700065515/jobs/8334277309#step:5:215\n\u003e\n\u003e It\u0027s not really a sensitive value just used it as an example.",
"id": "GHSA-65g2-x53q-cmf6",
"modified": "2023-04-24T22:44:38Z",
"published": "2023-04-24T22:44:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/newcontext-oss/kitchen-terraform/security/advisories/GHSA-65g2-x53q-cmf6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30618"
},
{
"type": "WEB",
"url": "https://github.com/newcontext-oss/kitchen-terraform/commit/3d20d60e7a891e2dd747df995a31226fa0b4ac48"
},
{
"type": "PACKAGE",
"url": "https://github.com/newcontext-oss/kitchen-terraform"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/kitchen-terraform/CVE-2023-30618.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Sensitive Terraform Output Values Printed At Info Logging Level In Kitchen-Terraform"
}
GHSA-65MR-XQPW-R9XG
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41IBM Cloud Pak for Automation 20.0.3, 20.0.2-IF002 - Business Automation Application Designer Component stores potentially sensitive information in log files that could be obtained by an unauthorized user. IBM X-Force ID: 194966.
{
"affected": [],
"aliases": [
"CVE-2021-20359"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-08T15:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Cloud Pak for Automation 20.0.3, 20.0.2-IF002 - Business Automation Application Designer Component stores potentially sensitive information in log files that could be obtained by an unauthorized user. IBM X-Force ID: 194966.",
"id": "GHSA-65mr-xqpw-r9xg",
"modified": "2022-05-24T17:41:18Z",
"published": "2022-05-24T17:41:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20359"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/194966"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6412345"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-65V9-X5FQ-VJG9
Vulnerability from github – Published: 2022-07-13 00:01 – Updated: 2022-07-17 00:00Sensitive information exposure vulnerability in ImsServiceSwitchBase in ImsCore prior to SMR Jul-2022 Release 1 allows local attackers with log access permission to get IMSI through device log.
{
"affected": [],
"aliases": [
"CVE-2022-33697"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-12T14:15:00Z",
"severity": "LOW"
},
"details": "Sensitive information exposure vulnerability in ImsServiceSwitchBase in ImsCore prior to SMR Jul-2022 Release 1 allows local attackers with log access permission to get IMSI through device log.",
"id": "GHSA-65v9-x5fq-vjg9",
"modified": "2022-07-17T00:00:45Z",
"published": "2022-07-13T00:01:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33697"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022\u0026month=7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.