CWE-532
Insertion of Sensitive Information into Log File
Description
The product writes sensitive information to a log file.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-215
CVEs mapped to this weakness (485)
page 19 of 25| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-49750 | 0.00 | — | 0.00 | Oct 24, 2024 | The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Prior to version 3.12.3, when the logging level was set by the user to DEBUG, the Connector could have logged Duo… | |||
| CVE-2024-47822 | 0.00 | — | 0.00 | Oct 8, 2024 | Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in `req.query` is not redacted when the `LOG_STYLE` is set to… | |||
| CVE-2024-47913 | — | 0.00 | — | 0.00 | Oct 4, 2024 | An issue was discovered in the AbuseFilter extension for MediaWiki before 1.39.9, 1.40.x and 1.41.x before 1.41.3, and 1.42.x before 1.42.2. An API caller can match a filter condition against AbuseFilter logs even if the caller is not authorized to view the log details for the… | ||
| CVE-2024-8365 | 0.00 | — | 0.00 | Sep 2, 2024 | Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token… | |||
| CVE-2024-37286 | 0.00 | — | 0.00 | Aug 3, 2024 | APM server logs contain document body from a partially failed bulk index request. For example, in case of unavailable_shards_exception for a specific document, since the ES response line contains the document body, and that APM server logs the ES response line on error, the… | |||
| CVE-2023-49921 | 0.00 | — | 0.00 | Jul 26, 2024 | An issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. This could lead to raw contents of documents stored in Elasticsearch to be printed in logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by… | |||
| CVE-2024-41178 | 0.00 | — | 0.01 | Jul 23, 2024 | Exposure of temporary credentials in logs in Apache Arrow Rust Object Store (`object_store` crate), version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens. On certain error conditions, the logs may contain the OIDC token passed to AssumeRoleWithWebIdentity… | |||
| CVE-2024-39460 | 0.00 | — | 0.00 | Jun 26, 2024 | Jenkins Bitbucket Branch Source Plugin 886.v44cf5e4ecec5 and earlier prints the Bitbucket OAuth access token as part of the Bitbucket URL in the build log in some cases. | |||
| CVE-2024-6104 | — | 0.00 | — | 0.00 | Jun 24, 2024 | go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7. | ||
| CVE-2024-38460 | 0.00 | — | 0.00 | Jun 16, 2024 | In SonarQube before 10.4 and 9.9.4 LTA, encrypted values generated using the Settings Encryption feature are potentially exposed in cleartext as part of the URL parameters in the logs (such as SonarQube Access Logs, Proxy Logs, etc). | |||
| CVE-2024-34715 | 0.00 | — | 0.00 | May 29, 2024 | Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@`… | |||
| CVE-2024-1102 | 0.00 | — | 0.01 | Apr 25, 2024 | A vulnerability was found in jberet-core logging. An exception in 'dbProperties' might display user credentials such as the username and password for the database-connection. | |||
| CVE-2024-31391 | 0.00 | — | 0.01 | Apr 12, 2024 | Insertion of Sensitive Information into Log File vulnerability in the Apache Solr Operator. This issue affects all versions of the Apache Solr Operator from 0.3.0 through 0.8.0. When asked to bootstrap Solr security, the operator will enable basic authentication and create… | |||
| CVE-2024-27097 | 0.00 | — | 0.00 | Mar 13, 2024 | A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. This has been fixed in the CKAN versions 2.9.11 and 2.10.4. Users are… | |||
| CVE-2024-28236 | — | 0.00 | — | 0.01 | Mar 12, 2024 | Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image` and `entrypoint` to inject secrets into a plugin/image and — by using… | ||
| CVE-2024-28154 | 0.00 | — | 0.01 | Mar 6, 2024 | Jenkins MQ Notifier Plugin 1.4.0 and earlier logs potentially sensitive build parameters as part of debug information in build logs by default. | |||
| CVE-2023-50740 | — | 0.00 | — | 0.01 | Mar 6, 2024 | In Apache Linkis <=1.4.0, The password is printed to the log when using the Oracle data source of the Linkis data source module. We recommend users upgrade the version of Linkis to version 1.5.0 | ||
| CVE-2024-23448 | 0.00 | — | 0.01 | Feb 7, 2024 | An issue was discovered whereby APM Server could log at ERROR level, a response from Elasticsearch indicating that indexing the document failed and that response would contain parts of the original document. Depending on the nature of the document that the APM Server attempted… | |||
| CVE-2024-1141 | 0.00 | — | 0.00 | Feb 1, 2024 | A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log level is enabled. | |||
| CVE-2024-0831 | 0.00 | — | 0.01 | Feb 1, 2024 | Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`. |
- CVE-2024-49750Oct 24, 2024risk 0.00cvss —epss 0.00
The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Prior to version 3.12.3, when the logging level was set by the user to DEBUG, the Connector could have logged Duo…
- CVE-2024-47822Oct 8, 2024risk 0.00cvss —epss 0.00
Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in `req.query` is not redacted when the `LOG_STYLE` is set to…
- CVE-2024-47913Oct 4, 2024risk 0.00cvss —epss 0.00
An issue was discovered in the AbuseFilter extension for MediaWiki before 1.39.9, 1.40.x and 1.41.x before 1.41.3, and 1.42.x before 1.42.2. An API caller can match a filter condition against AbuseFilter logs even if the caller is not authorized to view the log details for the…
- CVE-2024-8365Sep 2, 2024risk 0.00cvss —epss 0.00
Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token…
- CVE-2024-37286Aug 3, 2024risk 0.00cvss —epss 0.00
APM server logs contain document body from a partially failed bulk index request. For example, in case of unavailable_shards_exception for a specific document, since the ES response line contains the document body, and that APM server logs the ES response line on error, the…
- CVE-2023-49921Jul 26, 2024risk 0.00cvss —epss 0.00
An issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. This could lead to raw contents of documents stored in Elasticsearch to be printed in logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by…
- CVE-2024-41178Jul 23, 2024risk 0.00cvss —epss 0.01
Exposure of temporary credentials in logs in Apache Arrow Rust Object Store (`object_store` crate), version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens. On certain error conditions, the logs may contain the OIDC token passed to AssumeRoleWithWebIdentity…
- CVE-2024-39460Jun 26, 2024risk 0.00cvss —epss 0.00
Jenkins Bitbucket Branch Source Plugin 886.v44cf5e4ecec5 and earlier prints the Bitbucket OAuth access token as part of the Bitbucket URL in the build log in some cases.
- CVE-2024-6104Jun 24, 2024risk 0.00cvss —epss 0.00
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
- CVE-2024-38460Jun 16, 2024risk 0.00cvss —epss 0.00
In SonarQube before 10.4 and 9.9.4 LTA, encrypted values generated using the Settings Encryption feature are potentially exposed in cleartext as part of the URL parameters in the logs (such as SonarQube Access Logs, Proxy Logs, etc).
- CVE-2024-34715May 29, 2024risk 0.00cvss —epss 0.00
Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@`…
- CVE-2024-1102Apr 25, 2024risk 0.00cvss —epss 0.01
A vulnerability was found in jberet-core logging. An exception in 'dbProperties' might display user credentials such as the username and password for the database-connection.
- CVE-2024-31391Apr 12, 2024risk 0.00cvss —epss 0.01
Insertion of Sensitive Information into Log File vulnerability in the Apache Solr Operator. This issue affects all versions of the Apache Solr Operator from 0.3.0 through 0.8.0. When asked to bootstrap Solr security, the operator will enable basic authentication and create…
- CVE-2024-27097Mar 13, 2024risk 0.00cvss —epss 0.00
A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. This has been fixed in the CKAN versions 2.9.11 and 2.10.4. Users are…
- CVE-2024-28236Mar 12, 2024risk 0.00cvss —epss 0.01
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image` and `entrypoint` to inject secrets into a plugin/image and — by using…
- CVE-2024-28154Mar 6, 2024risk 0.00cvss —epss 0.01
Jenkins MQ Notifier Plugin 1.4.0 and earlier logs potentially sensitive build parameters as part of debug information in build logs by default.
- CVE-2023-50740Mar 6, 2024risk 0.00cvss —epss 0.01
In Apache Linkis <=1.4.0, The password is printed to the log when using the Oracle data source of the Linkis data source module. We recommend users upgrade the version of Linkis to version 1.5.0
- CVE-2024-23448Feb 7, 2024risk 0.00cvss —epss 0.01
An issue was discovered whereby APM Server could log at ERROR level, a response from Elasticsearch indicating that indexing the document failed and that response would contain parts of the original document. Depending on the nature of the document that the APM Server attempted…
- CVE-2024-1141Feb 1, 2024risk 0.00cvss —epss 0.00
A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log level is enabled.
- CVE-2024-0831Feb 1, 2024risk 0.00cvss —epss 0.01
Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`.