CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1739 vulnerabilities reference this CWE, most recent first.
GHSA-76JG-HR4P-QMFV
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.
{
"affected": [],
"aliases": [
"CVE-2019-7612"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-25T19:29:00Z",
"severity": "CRITICAL"
},
"details": "A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.",
"id": "GHSA-76jg-hr4p-qmfv",
"modified": "2022-05-13T01:14:53Z",
"published": "2022-05-13T01:14:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7612"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190411-0002"
},
{
"type": "WEB",
"url": "https://www.elastic.co/community/security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-76RJ-9H8W-CWX9
Vulnerability from github – Published: 2025-02-04 18:30 – Updated: 2025-02-04 18:30An information exposure through log file vulnerability exists in Brocade SANnav before Brocade SANnav 2.2.2, where configuration secrets are logged in supportsave. Supportsave file is generated by an admin user troubleshooting the switch. The Logged information may include usernames and passwords, and secret keys.
{
"affected": [],
"aliases": [
"CVE-2022-43933"
],
"database_specific": {
"cwe_ids": [
"CWE-532",
"CWE-538"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-21T11:15:11Z",
"severity": "MODERATE"
},
"details": "An information exposure through log file vulnerability exists in Brocade SANnav before Brocade SANnav 2.2.2, where configuration secrets are logged in supportsave. Supportsave file is generated by an admin user troubleshooting the switch. The Logged information may include usernames and passwords, and secret keys.",
"id": "GHSA-76rj-9h8w-cwx9",
"modified": "2025-02-04T18:30:46Z",
"published": "2025-02-04T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43933"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/21221"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-76XG-73QG-PHM7
Vulnerability from github – Published: 2024-09-12 15:33 – Updated: 2024-10-02 15:30A vulnerability identified in OpenText™ Identity Manager AzureAD Driver that allows logging of sensitive information into log file. This impacts all versions before 5.1.4.0
{
"affected": [],
"aliases": [
"CVE-2021-22518"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-12T13:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability identified in OpenText\u2122 \nIdentity Manager AzureAD Driver that allows logging of sensitive information into log file. This impacts all versions before 5.1.4.0",
"id": "GHSA-76xg-73qg-phm7",
"modified": "2024-10-02T15:30:36Z",
"published": "2024-09-12T15:33:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22518"
},
{
"type": "WEB",
"url": "https://www.netiq.com/documentation/identity-manager-48-drivers/AzureADDriver514/data/AzureADDriver514.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-774Q-RXHC-65MJ
Vulnerability from github – Published: 2023-06-27 00:30 – Updated: 2024-04-04 05:11A remote attacker could leverage a vulnerability in Trend Micro Mobile Security (Enterprise) 9.8 SP5 to download a particular log file which may contain sensitive information regarding the product.
{
"affected": [],
"aliases": [
"CVE-2023-35695"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-26T22:15:11Z",
"severity": "HIGH"
},
"details": "A remote attacker could leverage a vulnerability in Trend Micro Mobile Security (Enterprise) 9.8 SP5 to download a particular log file which may contain sensitive information regarding the product.",
"id": "GHSA-774q-rxhc-65mj",
"modified": "2024-04-04T05:11:40Z",
"published": "2023-06-27T00:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35695"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/dcx/s/solution/000293106?language=en_US"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/research/tra-2023-17"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-776C-GGQP-XJXG
Vulnerability from github – Published: 2025-08-11 15:32 – Updated: 2025-08-11 15:32Shared Access Signature token is not masked in the backup configuration response and is also exposed in the yb_backup logs
{
"affected": [],
"aliases": [
"CVE-2025-8864"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-11T14:15:28Z",
"severity": "MODERATE"
},
"details": "Shared Access Signature token is not masked in the backup configuration response and is also exposed in the yb_backup logs",
"id": "GHSA-776c-ggqp-xjxg",
"modified": "2025-08-11T15:32:42Z",
"published": "2025-08-11T15:32:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8864"
},
{
"type": "WEB",
"url": "https://docs.yugabyte.com/preview/secure/vulnerability-disclosure-policy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-77HG-8GW6-8F33
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-05-24 17:29Brocade Fabric OS versions before Brocade Fabric OS v7.4.2g could allow an authenticated, remote attacker to view a user password in cleartext. The vulnerability is due to incorrectly logging the user password in log files.
{
"affected": [],
"aliases": [
"CVE-2020-15370"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-25T14:15:00Z",
"severity": "MODERATE"
},
"details": "Brocade Fabric OS versions before Brocade Fabric OS v7.4.2g could allow an authenticated, remote attacker to view a user password in cleartext. The vulnerability is due to incorrectly logging the user password in log files.",
"id": "GHSA-77hg-8gw6-8f33",
"modified": "2022-05-24T17:29:33Z",
"published": "2022-05-24T17:29:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15370"
},
{
"type": "WEB",
"url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2020-1079"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-784X-8M4V-C8CC
Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53inc/logger.php in the Giribaz File Manager plugin before 5.0.2 for WordPress logged activity related to the plugin in /wp-content/uploads/file-manager/log.txt. If a user edits the wp-config.php file using this plugin, the wp-config.php contents get added to log.txt, which is not protected and contains database credentials, salts, etc. These files have been indexed by Google and a simple dork will find affected sites.
{
"affected": [],
"aliases": [
"CVE-2018-7204"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-07T20:29:00Z",
"severity": "HIGH"
},
"details": "inc/logger.php in the Giribaz File Manager plugin before 5.0.2 for WordPress logged activity related to the plugin in /wp-content/uploads/file-manager/log.txt. If a user edits the wp-config.php file using this plugin, the wp-config.php contents get added to log.txt, which is not protected and contains database credentials, salts, etc. These files have been indexed by Google and a simple dork will find affected sites.",
"id": "GHSA-784x-8m4v-c8cc",
"modified": "2022-05-13T01:53:17Z",
"published": "2022-05-13T01:53:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7204"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/1823035/file-manager"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/file-manager/#developers"
},
{
"type": "WEB",
"url": "https://wpvulndb.com/vulnerabilities/9036"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-785X-QW4V-6872
Vulnerability from github – Published: 2022-02-09 22:00 – Updated: 2024-09-05 00:44An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-14330"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-117",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-05T16:14:01Z",
"nvd_published_at": "2020-09-11T18:15:00Z",
"severity": "MODERATE"
},
"details": "An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.",
"id": "GHSA-785x-qw4v-6872",
"modified": "2024-09-05T00:44:53Z",
"published": "2022-02-09T22:00:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14330"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/issues/68400"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/pull/69653"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/e0f25a2b1f9e6c21f751ba0ed2dc2eee2152983e"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14330"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-785x-qw4v-6872"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansible/ansible"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-3.yaml"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4950"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Improper Output Neutralization and Improper Encoding or Escaping of Output for Logs in ansible"
}
GHSA-7C2F-R6GC-H92H
Vulnerability from github – Published: 2026-01-16 12:30 – Updated: 2026-06-05 14:25In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed.
Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0b1"
},
{
"fixed": "3.1.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68675"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-16T21:00:10Z",
"nvd_published_at": "2026-01-16T11:16:03Z",
"severity": "HIGH"
},
"details": "In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed.\n\nUsers are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue.",
"id": "GHSA-7c2f-r6gc-h92h",
"modified": "2026-06-05T14:25:12Z",
"published": "2026-01-16T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68675"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/59688"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-10.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/01/15/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Airflow proxy credentials for various providers might leak in task logs"
}
GHSA-7C3V-VC3X-X789
Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2023-10-26 16:24Configuration as Code Plugin logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked (i.e. replaced with asterisks) in that log to prevent accidental disclosure. Configuration as Code Plugin inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of log message masking. This was implemented in the fix for SECURITY-1279 in the 2019-07-31 security advisory.
That fix was incomplete and did not cover a log message written to the logger io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.
Configuration as Code Plugin now uses the same secret detection for these log messages.
As a workaround, administrators can configure the logging level of the logger io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator to a level that does not include these messages. Configuration as Code Plugin 1.25 and earlier logs these messages at the INFO level, Configuration as Code Plugin 1.26 logs them at FINE. See the logging documentation for details.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.26"
},
"package": {
"ecosystem": "Maven",
"name": "io.jenkins:configuration-as-code"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.27"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10367"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-28T22:36:48Z",
"nvd_published_at": "2019-08-07T15:15:00Z",
"severity": "MODERATE"
},
"details": "Configuration as Code Plugin logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked (i.e. replaced with asterisks) in that log to prevent accidental disclosure. Configuration as Code Plugin inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of log message masking. This was implemented in the [fix for SECURITY-1279 in the 2019-07-31 security advisory](https://www.jenkins.io/security/advisory/2019-07-31/#SECURITY-1279).\n\nThat fix was incomplete and did not cover a log message written to the logger `io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator`.\n\nConfiguration as Code Plugin now uses the same secret detection for these log messages.\n\nAs a workaround, administrators can configure the logging level of the logger `io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator` to a level that does not include these messages. Configuration as Code Plugin 1.25 and earlier logs these messages at the `INFO` level, Configuration as Code Plugin 1.26 logs them at `FINE`. See the logging documentation for details.",
"id": "GHSA-7c3v-vc3x-x789",
"modified": "2023-10-26T16:24:01Z",
"published": "2022-05-24T16:52:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10367"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/configuration-as-code-plugin/commit/322ef83f3200ce6076129c014209ef938e556774"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-08-07/#SECURITY-1497"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2019-07-31/#SECURITY-1279"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/08/07/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Insertion of Sensitive Information into Log File in Jenkins Configuration as Code Plugin"
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.