Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1739 vulnerabilities reference this CWE, most recent first.

GHSA-7CG9-F395-4PCQ

Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32
VLAI
Details

IBM Spectrum Protect Server 7.1 and 8.1 could disclose highly sensitive information via trace logs to a local privileged user. IBM X-Force ID: 148873.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1788"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-02T15:29:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Spectrum Protect Server 7.1 and 8.1 could disclose highly sensitive information via trace logs to a local privileged user. IBM X-Force ID: 148873.",
  "id": "GHSA-7cg9-f395-4pcq",
  "modified": "2022-05-13T01:32:40Z",
  "published": "2022-05-13T01:32:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1788"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/148873"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=ibm10730357"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105818"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1042032"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7CH5-P674-P2HP

Vulnerability from github – Published: 2024-11-13 15:31 – Updated: 2024-11-14 18:30
VLAI
Details

An information disclosure vulnerability exists in the backup configuration process where the SAS token is not masked in the configuration response. This oversight results in sensitive information leakage within the yb_backup log files, exposing the SAS token in plaintext. The leakage occurs during the backup procedure, leading to potential unauthorized access to resources associated with the SAS token. This issue affects YugabyteDB Anywhere: from 2.20.0.0 before 2.20.7.0, from 2.23.0.0 before 2.23.1.0, from 2024.1.0.0 before 2024.1.3.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11165"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-13T15:15:06Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability exists in the backup configuration process where the SAS token is not masked in the configuration response. This oversight results in sensitive information leakage within the yb_backup log files, exposing the SAS token in plaintext. The leakage occurs during the backup procedure, leading to potential unauthorized access to resources associated with the SAS token.\u00a0This issue affects YugabyteDB Anywhere: from 2.20.0.0 before 2.20.7.0, from 2.23.0.0 before 2.23.1.0, from 2024.1.0.0 before 2024.1.3.0.",
  "id": "GHSA-7ch5-p674-p2hp",
  "modified": "2024-11-14T18:30:34Z",
  "published": "2024-11-13T15:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11165"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yugabyte/yugabyte-db/commit/920989b6c0db0222bb7a0cce46febc76cf72d438"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7CJH-XX4R-QH3F

Vulnerability from github – Published: 2025-06-20 13:28 – Updated: 2025-06-20 19:27
VLAI
Summary
sentry-android unmasked sensitive data in Android Session Replays for users of Jetpack Compose 1.8+
Details

Impact

Under specific circumstances, text composables may contain unmasked sensitive data in Android session replays. You may be impacted if you meet the following conditions: - Using any sentry-android with versions < 8.14.0 - Using Jetpack Compose >= 1.8.0-alpha08 - This includes any alpha, beta, release candidate, or general availability after this version - Have configured Sentry Session Replays for Android

[!IMPORTANT] If you do not use Jetpack Compose or have never used a version >= 1.8.0-alpha08 you are not impacted.

[!IMPORTANT] If you have not configured Session Replays for Mobile you are not impacted.

How do I check if I'm impacted?

If you meet the conditions above, the sentry-android package includes a specific error log that would indicate you may be impacted. Customers may use logcat to search for this event.

I'm impacted and want this data deleted

If you've confirmed that you're affected and unmasked sensitive data in Session Replays have reached Sentry servers, you can please see this documentation on deleting individual replays. If you'd like to request bulk deletion, please reach out to your Account Manager or support@sentry.io to request deletion.

Patches

Upgrade the sentry-android SDK to version 8.14.0

Workarounds

We recommend upgrading to the latest version of the SDK, but if it is not an option, customers may either: - Downgrade their use of Jetpack Compose to <= 1.7.x - Drop session sample rates to 0.0

options.sessionReplay.onErrorSampleRate = 0.0
options.sessionReplay.sessionSampleRate = 0.0

Please see our documentation for more information configuring Session Replays for Android.

References

This issue was identified in Issue https://github.com/getsentry/sentry-java/issues/4467 and fixed in https://github.com/getsentry/sentry-java/pull/4485

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.sentry:sentry-android"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.sentry:sentry-android-replay"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-20T13:28:26Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nUnder specific circumstances, text composables may contain unmasked sensitive data in Android session replays.  You may be impacted if you meet the following conditions:\n- Using any `sentry-android` with versions \u003c 8.14.0 \n- Using Jetpack Compose \u003e= [1.8.0-alpha08](https://developer.android.com/jetpack/androidx/releases/compose-ui#1.8.0-alpha08)\n  - This includes any alpha, beta, release candidate, or general availability after this version\n- Have configured Sentry Session Replays for Android\n\n\u003e [!IMPORTANT] \n\u003e If you do not use Jetpack Compose or have never used a version \u003e= 1.8.0-alpha08 you are not impacted. \n\n\u003e [!IMPORTANT] \n\u003e If you have not configured [Session Replays for Mobile](https://docs.sentry.io/product/explore/session-replay/mobile/) you are not impacted.\n\n### How do I check if I\u0027m impacted?\n\nIf you meet the conditions above, the `sentry-android` package includes a [specific error log](https://github.com/getsentry/sentry-java/blob/b2920907e6afb69a8027cedb251dd94a3514f0e6/sentry-android-replay/src/main/java/io/sentry/android/replay/viewhierarchy/ComposeViewHierarchyNode.kt#L252-L261) that would indicate you may be impacted. Customers may use [logcat](https://developer.android.com/tools/logcat) to search for this event.\n\n### I\u0027m impacted and want this data deleted\n\nIf you\u0027ve confirmed that you\u0027re affected and unmasked sensitive data in Session Replays have reached Sentry servers, you can please see this documentation on [deleting individual replays](https://docs.sentry.io/product/explore/session-replay/web/replay-details/#delete-replays). If you\u0027d like to request bulk deletion, please reach out to your Account Manager or support@sentry.io to request deletion. \n\n### Patches\n\nUpgrade the `sentry-android` SDK to version [8.14.0](https://github.com/getsentry/sentry-java/releases/tag/8.14.0)\n\n### Workarounds\n\nWe recommend upgrading to the latest version of the SDK, but if it is not an option, customers may either:\n- Downgrade their use of Jetpack Compose to \u003c= 1.7.x\n- Drop session sample rates to 0.0 \n```\noptions.sessionReplay.onErrorSampleRate = 0.0\noptions.sessionReplay.sessionSampleRate = 0.0\n```\nPlease see our documentation for more information configuring [Session Replays for Android](https://docs.sentry.io/platforms/android/session-replay/#set-up).\n\n### References\n\nThis issue was identified in Issue https://github.com/getsentry/sentry-java/issues/4467 and fixed in https://github.com/getsentry/sentry-java/pull/4485",
  "id": "GHSA-7cjh-xx4r-qh3f",
  "modified": "2025-06-20T19:27:36Z",
  "published": "2025-06-20T13:28:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry-java/security/advisories/GHSA-7cjh-xx4r-qh3f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry-java/issues/4467"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry-java/pull/4485"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry-java/commit/8bfa9cceab402e58f6723a0694158d27e8a41a56"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getsentry/sentry-java"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry-java/releases/tag/8.14.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "sentry-android unmasked sensitive data in Android Session Replays for users of Jetpack Compose 1.8+"
}

GHSA-7CP7-JFP6-JH4F

Vulnerability from github – Published: 2023-01-20 17:33 – Updated: 2023-01-25 17:57
VLAI
Summary
Shopware's log module vulnerable to Improper Output Neutralization
Details

Impact

The log module contains all kind of sent mails. It is possible to see the password reset email of customers and admin users to gain probably more access.

Patches

Update to the latest 6.4.18.1 version.

Workarounds

  • For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
  • Remove from all users the log module ACL rights
  • Disable logging

References

https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.4.18.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/platform"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.4.18.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.4.18.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.4.18.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-22733"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-20T17:33:54Z",
    "nvd_published_at": "2023-01-17T22:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nThe log module contains all kind of sent mails. It is possible to see the password reset email of customers and admin users to gain probably more access.\n\n### Patches\nUpdate to the latest 6.4.18.1 version.\n\n### Workarounds\n- For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. \n- Remove from all users the log module ACL rights\n- [Disable logging](https://developer.shopware.com/docs/guides/hosting/performance/performance-tweaks#logging)\n\n### References\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates\n\n\n",
  "id": "GHSA-7cp7-jfp6-jh4f",
  "modified": "2023-01-25T17:57:42Z",
  "published": "2023-01-20T17:33:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shopware/platform/security/advisories/GHSA-7cp7-jfp6-jh4f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22733"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/platform/commit/407a83063d7141c1a626441799c3ebef79498c07"
    },
    {
      "type": "WEB",
      "url": "https://developer.shopware.com/docs/guides/hosting/performance/performance-tweaks#logging"
    },
    {
      "type": "WEB",
      "url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shopware/platform"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Shopware\u0027s log module vulnerable to Improper Output Neutralization"
}

GHSA-7FHR-RH46-HQ82

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:26
VLAI
Details

In the Orbitz application 19.31.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-17355"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-15T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In the Orbitz application 19.31.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.",
  "id": "GHSA-7fhr-rh46-hq82",
  "modified": "2024-04-04T02:26:29Z",
  "published": "2022-05-24T16:58:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17355"
    },
    {
      "type": "WEB",
      "url": "https://pastebin.com/GgpFz3ZW"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7GX6-2PR2-4XF4

Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21
VLAI
Details

Juniper ATP Series Splunk credentials are logged in a file readable by authenticated local users. Using these credentials an attacker can access the Splunk server. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-0029"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-15T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "Juniper ATP Series Splunk credentials are logged in a file readable by authenticated local users. Using these credentials an attacker can access the Splunk server. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.",
  "id": "GHSA-7gx6-2pr2-4xf4",
  "modified": "2022-05-13T01:21:10Z",
  "published": "2022-05-13T01:21:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0029"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA10918"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7H7G-X2PX-94HJ

Vulnerability from github – Published: 2026-03-13 20:54 – Updated: 2026-03-13 20:54
VLAI
Summary
OpenClaw: Pairing setup codes exposed long-lived shared gateway credentials instead of short-lived bootstrap tokens
Details

Summary

OpenClaw pairing setup codes generated by /pair and openclaw qr embedded the configured shared gateway token or password directly in the setup payload. Anyone who obtained that code from chat history, logs, screenshots, or copied QR payloads could recover the long-lived shared credential.

Impact

An attacker with access to a leaked setup code could reuse the shared gateway credential outside the intended one-time pairing flow.

Affected versions

openclaw <= 2026.3.11

Patch

Fixed in openclaw 2026.3.12. Setup codes now carry short-lived bootstrap tokens that are only valid for the initial device bootstrap exchange. Update to 2026.3.12 or later and rotate any previously exposed shared gateway credentials if setup codes may have leaked.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.11"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-13T20:54:18Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nOpenClaw pairing setup codes generated by `/pair` and `openclaw qr` embedded the configured shared gateway token or password directly in the setup payload. Anyone who obtained that code from chat history, logs, screenshots, or copied QR payloads could recover the long-lived shared credential.\n\n### Impact\n\nAn attacker with access to a leaked setup code could reuse the shared gateway credential outside the intended one-time pairing flow.\n\n### Affected versions\n\n`openclaw` `\u003c= 2026.3.11`\n\n### Patch\n\nFixed in `openclaw` `2026.3.12`. Setup codes now carry short-lived bootstrap tokens that are only valid for the initial device bootstrap exchange. Update to `2026.3.12` or later and rotate any previously exposed shared gateway credentials if setup codes may have leaked.",
  "id": "GHSA-7h7g-x2px-94hj",
  "modified": "2026-03-13T20:54:18Z",
  "published": "2026-03-13T20:54:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7h7g-x2px-94hj"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Pairing setup codes exposed long-lived shared gateway credentials instead of short-lived bootstrap tokens"
}

GHSA-7HHP-CMGC-52FJ

Vulnerability from github – Published: 2025-07-31 21:31 – Updated: 2025-07-31 21:31
VLAI
Details

NVIDIA Omniverse Launcher for Windows and Linux contains a vulnerability in the launcher logs, where a user could cause sensitive information to be written to the log files through proxy servers. A successful exploit of this vulnerability might lead to information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-23289"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-31T21:15:27Z",
    "severity": "MODERATE"
  },
  "details": "NVIDIA Omniverse Launcher for Windows and Linux contains a vulnerability in the launcher logs, where a user could cause sensitive information to be written to the log files through proxy servers. A successful exploit of this vulnerability might lead to information disclosure.",
  "id": "GHSA-7hhp-cmgc-52fj",
  "modified": "2025-07-31T21:31:54Z",
  "published": "2025-07-31T21:31:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23289"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5679"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7HXQ-5R5Q-RH58

Vulnerability from github – Published: 2022-05-14 02:58 – Updated: 2022-05-14 02:58
VLAI
Details

An issue was discovered in Zoho ManageEngine Desktop Central before 100251. By leveraging access to a log file, a context-dependent attacker can obtain (depending on the modules configured) the Base64 encoded Password/Username of AD accounts, the cleartext Password/Username and mail settings of the EAS account (an AD account used to send mail), the cleartext password of recovery_password of Android devices, the cleartext password of account "set", the location of devices enrolled in the platform (with UUID and information related to the name of the person at the location), critical information about all enrolled devices such as Serial Number, UUID, Model, Name, and auth_session_token (usable to spoof a terminal identity on the platform), etc.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11717"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-16T14:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Zoho ManageEngine Desktop Central before 100251. By leveraging access to a log file, a context-dependent attacker can obtain (depending on the modules configured) the Base64 encoded Password/Username of AD accounts, the cleartext Password/Username and mail settings of the EAS account (an AD account used to send mail), the cleartext password of recovery_password of Android devices, the cleartext password of account \"set\", the location of devices enrolled in the platform (with UUID and information related to the name of the person at the location), critical information about all enrolled devices such as Serial Number, UUID, Model, Name, and auth_session_token (usable to spoof a terminal identity on the platform), etc.",
  "id": "GHSA-7hxq-5r5q-rh58",
  "modified": "2022-05-14T02:58:57Z",
  "published": "2022-05-14T02:58:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11717"
    },
    {
      "type": "WEB",
      "url": "https://blog.netxp.fr/manageengine-deep-exploitation"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/products/desktop-central/vulnerability-in-log-files.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7JGX-Q4JQ-PP55

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12
VLAI
Details

PuppetDB logging included potentially sensitive system information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-30T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "PuppetDB logging included potentially sensitive system information.",
  "id": "GHSA-7jgx-q4jq-pp55",
  "modified": "2022-05-24T19:12:29Z",
  "published": "2022-05-24T19:12:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27019"
    },
    {
      "type": "WEB",
      "url": "https://puppet.com/security/cve/CVE-2021-27019"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.