Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1738 vulnerabilities reference this CWE, most recent first.

GHSA-5XFG-WV98-264M

Vulnerability from github – Published: 2024-04-24 20:02 – Updated: 2024-04-24 20:02
VLAI
Summary
Sensitive Information leak via Log File in Kubernetes
Details

In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kubernetes/kubernetes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.19.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-8563"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-24T20:02:20Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager\u0027s log. This affects \u003c v1.19.3.",
  "id": "GHSA-5xfg-wv98-264m",
  "modified": "2024-04-24T20:02:21Z",
  "published": "2024-04-24T20:02:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8563"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/issues/95621"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/pull/95236"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/pull/95236/commits/247f6dd09299bc7893c1e0affea11c0255025b96"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1886635"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kubernetes/kubernetes"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210122-0006"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sensitive Information leak via Log File in Kubernetes"
}

GHSA-635V-PC42-FR74

Vulnerability from github – Published: 2024-09-11 19:20 – Updated: 2024-09-11 19:20
VLAI
Summary
AWS SageMaker Training Toolkit logs CodeArtifact Authorization token
Details

Description

For SageMaker Training Toolkit[1] versions 4.7.4; 4.7.3; 4.7.2; 4.7.1; 4.7.0, the authorization tokens for CodeArtifact (temporary token with an expiration of 12 hours) were logged in the log files when the CodeArtifact capability was enabled. If customers push these log files to their CloudWatch Log streams, anyone having access to cloudwatch logs within their AWS account, may be abe to see the authorization token. If the token is not expired, they may use the authorization token to publish or consume CodeArtifact package versions.

This issue was addressed in version 4.8.0. We recommend users upgrade to version 4.8.0 or higher.

Please note that users can add SageMaker Training Toolkit to any Docker container[2] used for SageMaker training[3]. It also comes pre-packaged with the prebuilt SageMaker Docker image[4] for SageMaker training.

Patches

This issue has been addressed in version 4.8.0 and higher.

Workarounds

N/A

References

N/A

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page[5] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

[1] https://github.com/aws/sagemaker-training-toolkit [2] https://www.docker.com/resources/what-container/ [3] https://aws.amazon.com/sagemaker/train/ [4] https://docs.aws.amazon.com/sagemaker/latest/dg/pre-built-containers-frameworks-deep-learning.html [5] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "sagemaker-training"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.7.0"
            },
            {
              "fixed": "4.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-11T19:20:42Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Description\nFor SageMaker Training Toolkit[1] versions 4.7.4; 4.7.3; 4.7.2; 4.7.1; 4.7.0, the authorization tokens for CodeArtifact (temporary token with an expiration of 12 hours) were logged in the log files when the CodeArtifact capability was enabled. If customers push these log files to their CloudWatch Log streams, anyone having access to cloudwatch logs within their AWS account, may be abe to see the authorization token. If the token is not expired, they may use the authorization token to publish or consume CodeArtifact package versions.\n\nThis issue was addressed in version 4.8.0. We recommend users upgrade to version 4.8.0 or higher.  \n\nPlease note that users can add SageMaker Training Toolkit to any Docker container[2] used for SageMaker training[3]. It also comes pre-packaged with the prebuilt SageMaker Docker image[4] for SageMaker training. \n\n## Patches\nThis issue has been addressed in version 4.8.0 and higher.\n\n## Workarounds\nN/A\n\n## References\nN/A\n\nIf you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page[5] or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.\n\n[1] https://github.com/aws/sagemaker-training-toolkit\n[2] https://www.docker.com/resources/what-container/\n[3] https://aws.amazon.com/sagemaker/train/\n[4] https://docs.aws.amazon.com/sagemaker/latest/dg/pre-built-containers-frameworks-deep-learning.html\n[5] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting",
  "id": "GHSA-635v-pc42-fr74",
  "modified": "2024-09-11T19:20:42Z",
  "published": "2024-09-11T19:20:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aws/sagemaker-training-toolkit/security/advisories/GHSA-635v-pc42-fr74"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/sagemaker-training-toolkit/commit/d8e56c90fa7fcc7421c0f7193bf9650fc2967213"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aws/sagemaker-training-toolkit"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AWS SageMaker Training Toolkit logs CodeArtifact Authorization token"
}

GHSA-636W-X3WJ-WJ9P

Vulnerability from github – Published: 2022-11-18 21:30 – Updated: 2025-04-30 15:30
VLAI
Details

Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb database.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-43673"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-18T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\\Roaming\\Wire\\IndexedDB\\https_app.wire.com_0.indexeddb.leveldb database.",
  "id": "GHSA-636w-x3wj-wj9p",
  "modified": "2025-04-30T15:30:40Z",
  "published": "2022-11-18T21:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43673"
    },
    {
      "type": "WEB",
      "url": "https://wire.com"
    },
    {
      "type": "WEB",
      "url": "https://www.secuvera.de/advisories/secuvera-SA-2022-01.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6393-6W3W-9W86

Vulnerability from github – Published: 2024-04-29 09:31 – Updated: 2026-04-28 21:35
VLAI
Details

Insertion of Sensitive Information into Log File vulnerability in Solid Plugins Solid Affiliate.This issue affects Solid Affiliate: from n/a through 1.9.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33637"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-29T08:15:08Z",
    "severity": "HIGH"
  },
  "details": "Insertion of Sensitive Information into Log File vulnerability in Solid Plugins Solid Affiliate.This issue affects Solid Affiliate: from n/a through 1.9.1.",
  "id": "GHSA-6393-6w3w-9w86",
  "modified": "2026-04-28T21:35:00Z",
  "published": "2024-04-29T09:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33637"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/solid-affiliate/wordpress-solid-affiliate-plugin-1-9-1-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-63PJ-8C5P-X939

Vulnerability from github – Published: 2025-04-29 15:31 – Updated: 2025-04-29 18:30
VLAI
Details

A vulnerability existed in Firefox for Android where potentially sensitive library locations were logged via Logcat. This vulnerability affects Firefox < 138 and Thunderbird < 138.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4090"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-29T14:15:35Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability existed in Firefox for Android where potentially sensitive library locations were logged via Logcat. This vulnerability affects Firefox \u003c 138 and Thunderbird \u003c 138.",
  "id": "GHSA-63pj-8c5p-x939",
  "modified": "2025-04-29T18:30:58Z",
  "published": "2025-04-29T15:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4090"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1929478"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-28"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-31"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6489-3C6F-G4G6

Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2024-04-03 23:59
VLAI
Details

CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-3536"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-15T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration",
  "id": "GHSA-6489-3c6f-g4g6",
  "modified": "2024-04-03T23:59:46Z",
  "published": "2022-05-17T19:57:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3536"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/cve-2014-3536"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3536"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-64QM-6FCC-V9X3

Vulnerability from github – Published: 2023-07-20 18:33 – Updated: 2024-04-04 06:17
VLAI
Details

Dell Wyse ThinOS versions prior to 2208 (9.3.2102) contain a sensitive information disclosure vulnerability. An unauthenticated malicious user with local access to the device could exploit this vulnerability to read sensitive information written to the log files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32455"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-20T13:15:11Z",
    "severity": "MODERATE"
  },
  "details": "\nDell Wyse ThinOS versions prior to 2208 (9.3.2102) contain a sensitive information disclosure vulnerability. An unauthenticated malicious user with local access to the device could exploit this vulnerability to read sensitive information written to the log files.\n\n",
  "id": "GHSA-64qm-6fcc-v9x3",
  "modified": "2024-04-04T06:17:44Z",
  "published": "2023-07-20T18:33:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32455"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000215864/dsa-2023-247"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-65G2-X53Q-CMF6

Vulnerability from github – Published: 2023-04-24 22:44 – Updated: 2023-04-24 22:44
VLAI
Summary
Sensitive Terraform Output Values Printed At Info Logging Level In Kitchen-Terraform
Details

Summary

Kitchen-Terraform v7.0.0 introduced a regression which caused all Terraform output values, including sensitive values, to be printed at the info logging level during the kitchen converge action. Prior to v7.0.0, the output values were printed at the debug level to avoid writing sensitive values to the terminal by default.

Original Report

@brettcurtis:

Hopefully, I'm not doing something stupid here, but I'm seeing sensitive outputs printed in the kitchen output. You can check this action for an example: https://github.com/osinfra-io/terraform-google-project/actions/runs/4700065515/jobs/8334277309#step:5:215

It's not really a sensitive value just used it as an example.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "kitchen-terraform"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-30618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-24T22:44:38Z",
    "nvd_published_at": "2023-04-21T20:15:07Z",
    "severity": "LOW"
  },
  "details": "### Summary\n\nKitchen-Terraform v7.0.0 introduced a regression which caused all Terraform output values, including sensitive values, to be printed at the `info` logging level during the `kitchen converge` action. Prior to v7.0.0, the output values were printed at the `debug` level to avoid writing sensitive values to the terminal by default.\n\n### Original Report\n\n@brettcurtis:\n\u003e Hopefully, I\u0027m not doing something stupid here, but I\u0027m seeing sensitive outputs printed in the kitchen output. You can check this action for an example: https://github.com/osinfra-io/terraform-google-project/actions/runs/4700065515/jobs/8334277309#step:5:215\n\u003e\n\u003e It\u0027s not really a sensitive value just used it as an example.",
  "id": "GHSA-65g2-x53q-cmf6",
  "modified": "2023-04-24T22:44:38Z",
  "published": "2023-04-24T22:44:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/newcontext-oss/kitchen-terraform/security/advisories/GHSA-65g2-x53q-cmf6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30618"
    },
    {
      "type": "WEB",
      "url": "https://github.com/newcontext-oss/kitchen-terraform/commit/3d20d60e7a891e2dd747df995a31226fa0b4ac48"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/newcontext-oss/kitchen-terraform"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/kitchen-terraform/CVE-2023-30618.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sensitive Terraform Output Values Printed At Info Logging Level In Kitchen-Terraform"
}

GHSA-65MR-XQPW-R9XG

Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41
VLAI
Details

IBM Cloud Pak for Automation 20.0.3, 20.0.2-IF002 - Business Automation Application Designer Component stores potentially sensitive information in log files that could be obtained by an unauthorized user. IBM X-Force ID: 194966.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20359"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-08T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cloud Pak for Automation 20.0.3, 20.0.2-IF002 - Business Automation Application Designer Component stores potentially sensitive information in log files that could be obtained by an unauthorized user. IBM X-Force ID: 194966.",
  "id": "GHSA-65mr-xqpw-r9xg",
  "modified": "2022-05-24T17:41:18Z",
  "published": "2022-05-24T17:41:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20359"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/194966"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6412345"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-65V9-X5FQ-VJG9

Vulnerability from github – Published: 2022-07-13 00:01 – Updated: 2022-07-17 00:00
VLAI
Details

Sensitive information exposure vulnerability in ImsServiceSwitchBase in ImsCore prior to SMR Jul-2022 Release 1 allows local attackers with log access permission to get IMSI through device log.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-33697"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-12T14:15:00Z",
    "severity": "LOW"
  },
  "details": "Sensitive information exposure vulnerability in ImsServiceSwitchBase in ImsCore prior to SMR Jul-2022 Release 1 allows local attackers with log access permission to get IMSI through device log.",
  "id": "GHSA-65v9-x5fq-vjg9",
  "modified": "2022-07-17T00:00:45Z",
  "published": "2022-07-13T00:01:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33697"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022\u0026month=7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.