Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1739 vulnerabilities reference this CWE, most recent first.

GHSA-76JG-HR4P-QMFV

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14
VLAI
Details

A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-7612"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-25T19:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.",
  "id": "GHSA-76jg-hr4p-qmfv",
  "modified": "2022-05-13T01:14:53Z",
  "published": "2022-05-13T01:14:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7612"
    },
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190411-0002"
    },
    {
      "type": "WEB",
      "url": "https://www.elastic.co/community/security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-76RJ-9H8W-CWX9

Vulnerability from github – Published: 2025-02-04 18:30 – Updated: 2025-02-04 18:30
VLAI
Details

An information exposure through log file vulnerability exists in Brocade SANnav before Brocade SANnav 2.2.2, where configuration secrets are logged in supportsave. Supportsave file is generated by an admin user troubleshooting the switch. The Logged information may include usernames and passwords, and secret keys.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-43933"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532",
      "CWE-538"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-21T11:15:11Z",
    "severity": "MODERATE"
  },
  "details": "An information exposure through log file vulnerability exists in Brocade SANnav before Brocade SANnav 2.2.2, where configuration secrets are logged in supportsave. Supportsave file is generated by an admin user troubleshooting the switch. The Logged information may include usernames and passwords, and secret keys.",
  "id": "GHSA-76rj-9h8w-cwx9",
  "modified": "2025-02-04T18:30:46Z",
  "published": "2025-02-04T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43933"
    },
    {
      "type": "WEB",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/21221"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-76XG-73QG-PHM7

Vulnerability from github – Published: 2024-09-12 15:33 – Updated: 2024-10-02 15:30
VLAI
Details

A vulnerability identified in OpenText™ Identity Manager AzureAD Driver that allows logging of sensitive information into log file. This impacts all versions before 5.1.4.0

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22518"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-12T13:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability identified in OpenText\u2122 \nIdentity Manager AzureAD Driver that allows logging of sensitive information into log file. This impacts all versions before 5.1.4.0",
  "id": "GHSA-76xg-73qg-phm7",
  "modified": "2024-10-02T15:30:36Z",
  "published": "2024-09-12T15:33:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22518"
    },
    {
      "type": "WEB",
      "url": "https://www.netiq.com/documentation/identity-manager-48-drivers/AzureADDriver514/data/AzureADDriver514.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-774Q-RXHC-65MJ

Vulnerability from github – Published: 2023-06-27 00:30 – Updated: 2024-04-04 05:11
VLAI
Details

A remote attacker could leverage a vulnerability in Trend Micro Mobile Security (Enterprise) 9.8 SP5 to download a particular log file which may contain sensitive information regarding the product.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35695"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-26T22:15:11Z",
    "severity": "HIGH"
  },
  "details": "A remote attacker could leverage a vulnerability in Trend Micro Mobile Security (Enterprise) 9.8 SP5 to download a particular log file which may contain sensitive information regarding the product.",
  "id": "GHSA-774q-rxhc-65mj",
  "modified": "2024-04-04T05:11:40Z",
  "published": "2023-06-27T00:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35695"
    },
    {
      "type": "WEB",
      "url": "https://success.trendmicro.com/dcx/s/solution/000293106?language=en_US"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2023-17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-776C-GGQP-XJXG

Vulnerability from github – Published: 2025-08-11 15:32 – Updated: 2025-08-11 15:32
VLAI
Details

Shared Access Signature token is not masked in the backup configuration response and is also exposed in the yb_backup logs

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8864"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-11T14:15:28Z",
    "severity": "MODERATE"
  },
  "details": "Shared Access Signature token is not masked in the backup configuration response and is also exposed in the yb_backup logs",
  "id": "GHSA-776c-ggqp-xjxg",
  "modified": "2025-08-11T15:32:42Z",
  "published": "2025-08-11T15:32:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8864"
    },
    {
      "type": "WEB",
      "url": "https://docs.yugabyte.com/preview/secure/vulnerability-disclosure-policy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-77HG-8GW6-8F33

Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-05-24 17:29
VLAI
Details

Brocade Fabric OS versions before Brocade Fabric OS v7.4.2g could allow an authenticated, remote attacker to view a user password in cleartext. The vulnerability is due to incorrectly logging the user password in log files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-15370"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-25T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Brocade Fabric OS versions before Brocade Fabric OS v7.4.2g could allow an authenticated, remote attacker to view a user password in cleartext. The vulnerability is due to incorrectly logging the user password in log files.",
  "id": "GHSA-77hg-8gw6-8f33",
  "modified": "2022-05-24T17:29:33Z",
  "published": "2022-05-24T17:29:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15370"
    },
    {
      "type": "WEB",
      "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2020-1079"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-784X-8M4V-C8CC

Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53
VLAI
Details

inc/logger.php in the Giribaz File Manager plugin before 5.0.2 for WordPress logged activity related to the plugin in /wp-content/uploads/file-manager/log.txt. If a user edits the wp-config.php file using this plugin, the wp-config.php contents get added to log.txt, which is not protected and contains database credentials, salts, etc. These files have been indexed by Google and a simple dork will find affected sites.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7204"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-07T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "inc/logger.php in the Giribaz File Manager plugin before 5.0.2 for WordPress logged activity related to the plugin in /wp-content/uploads/file-manager/log.txt. If a user edits the wp-config.php file using this plugin, the wp-config.php contents get added to log.txt, which is not protected and contains database credentials, salts, etc. These files have been indexed by Google and a simple dork will find affected sites.",
  "id": "GHSA-784x-8m4v-c8cc",
  "modified": "2022-05-13T01:53:17Z",
  "published": "2022-05-13T01:53:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7204"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/1823035/file-manager"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/file-manager/#developers"
    },
    {
      "type": "WEB",
      "url": "https://wpvulndb.com/vulnerabilities/9036"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-785X-QW4V-6872

Vulnerability from github – Published: 2022-02-09 22:00 – Updated: 2024-09-05 00:44
VLAI
Summary
Improper Output Neutralization and Improper Encoding or Escaping of Output for Logs in ansible
Details

An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-14330"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-117",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-05T16:14:01Z",
    "nvd_published_at": "2020-09-11T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.",
  "id": "GHSA-785x-qw4v-6872",
  "modified": "2024-09-05T00:44:53Z",
  "published": "2022-02-09T22:00:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14330"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/issues/68400"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/pull/69653"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/e0f25a2b1f9e6c21f751ba0ed2dc2eee2152983e"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14330"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-785x-qw4v-6872"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-3.yaml"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4950"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Improper Output Neutralization and Improper Encoding or Escaping of Output for Logs in ansible"
}

GHSA-7C2F-R6GC-H92H

Vulnerability from github – Published: 2026-01-16 12:30 – Updated: 2026-06-05 14:25
VLAI
Summary
Apache Airflow proxy credentials for various providers might leak in task logs
Details

In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed.

Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-airflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0b1"
            },
            {
              "fixed": "3.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-airflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68675"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-16T21:00:10Z",
    "nvd_published_at": "2026-01-16T11:16:03Z",
    "severity": "HIGH"
  },
  "details": "In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed.\n\nUsers are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue.",
  "id": "GHSA-7c2f-r6gc-h92h",
  "modified": "2026-06-05T14:25:12Z",
  "published": "2026-01-16T12:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68675"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/pull/59688"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/airflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-10.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/01/15/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Airflow proxy credentials for various providers might leak in task logs"
}

GHSA-7C3V-VC3X-X789

Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2023-10-26 16:24
VLAI
Summary
Insertion of Sensitive Information into Log File in Jenkins Configuration as Code Plugin
Details

Configuration as Code Plugin logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked (i.e. replaced with asterisks) in that log to prevent accidental disclosure. Configuration as Code Plugin inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of log message masking. This was implemented in the fix for SECURITY-1279 in the 2019-07-31 security advisory.

That fix was incomplete and did not cover a log message written to the logger io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.

Configuration as Code Plugin now uses the same secret detection for these log messages.

As a workaround, administrators can configure the logging level of the logger io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator to a level that does not include these messages. Configuration as Code Plugin 1.25 and earlier logs these messages at the INFO level, Configuration as Code Plugin 1.26 logs them at FINE. See the logging documentation for details.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.26"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.jenkins:configuration-as-code"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10367"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-28T22:36:48Z",
    "nvd_published_at": "2019-08-07T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Configuration as Code Plugin logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked (i.e. replaced with asterisks) in that log to prevent accidental disclosure. Configuration as Code Plugin inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of log message masking. This was implemented in the [fix for SECURITY-1279 in the 2019-07-31 security advisory](https://www.jenkins.io/security/advisory/2019-07-31/#SECURITY-1279).\n\nThat fix was incomplete and did not cover a log message written to the logger `io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator`.\n\nConfiguration as Code Plugin now uses the same secret detection for these log messages.\n\nAs a workaround, administrators can configure the logging level of the logger `io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator` to a level that does not include these messages. Configuration as Code Plugin 1.25 and earlier logs these messages at the `INFO` level, Configuration as Code Plugin 1.26 logs them at `FINE`. See the logging documentation for details.",
  "id": "GHSA-7c3v-vc3x-x789",
  "modified": "2023-10-26T16:24:01Z",
  "published": "2022-05-24T16:52:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10367"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/configuration-as-code-plugin/commit/322ef83f3200ce6076129c014209ef938e556774"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-08-07/#SECURITY-1497"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2019-07-31/#SECURITY-1279"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/08/07/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insertion of Sensitive Information into Log File in Jenkins Configuration as Code Plugin"
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.