CWE-532
Insertion of Sensitive Information into Log File
Description
The product writes sensitive information to a log file.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-215
CVEs mapped to this weakness (485)
page 20 of 25| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-23840 | 0.00 | — | 0.00 | Jan 30, 2024 | GoReleaser builds Go binaries for several platforms, creates a GitHub release and then pushes a Homebrew formula to a tap repository. `goreleaser release --debug` log shows secret values used in the in the custom publisher. This vulnerability is fixed in 1.24.0. | |||
| CVE-2024-23686 | 0.00 | — | 0.01 | Jan 19, 2024 | DependencyCheck for Maven 9.0.0 to 9.0.6, for CLI version 9.0.0 to 9.0.5, and for Ant versions 9.0.0 to 9.0.5, when used in debug mode, allows an attacker to recover the NVD API Key from a log file. | |||
| CVE-2024-21668 | 0.00 | — | 0.00 | Jan 9, 2024 | react-native-mmkv is a library that allows easy use of MMKV inside React Native applications. Before version 2.11.0, the react-native-mmkv logged the optional encryption key for the MMKV database into the Android system log. The key can be obtained by anyone with access to the… | |||
| CVE-2023-46742 | 0.00 | — | 0.00 | Jan 3, 2024 | CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user… | |||
| CVE-2023-49922 | 0.00 | — | 0.01 | Dec 12, 2023 | An issue was discovered by Elastic whereby Beats and Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code except 409 or 429. Depending on the nature of the event that Beats or… | |||
| CVE-2023-48708 | 0.00 | — | 0.01 | Nov 24, 2023 | CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. In affected versions successful login attempts are recorded with the raw tokens stored in the log table. If a malicious person somehow views the data in the log table they can obtain a raw… | |||
| CVE-2021-22143 | 0.00 | — | 0.01 | Nov 22, 2023 | The Elastic APM .NET Agent can leak sensitive HTTP header information when logging the details during an application error. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application error it is… | |||
| CVE-2023-47390 | — | 0.00 | — | 0.01 | Nov 11, 2023 | Headscale through 0.22.3 writes bearer tokens to info-level logs. | ||
| CVE-2023-46255 | 0.00 | — | 0.00 | Oct 31, 2023 | SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed (e.g. by having a password which contains `:`) the full URI (including the… | |||
| CVE-2023-46215 | 0.00 | — | 0.01 | Oct 28, 2023 | Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend Note: the vulnerability is about the information… | |||
| CVE-2023-31417 | 0.00 | — | 0.00 | Oct 26, 2023 | Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. It was found that this filtering was not applied when requests to Elasticsearch use certain deprecated URIs for APIs. The impact of this flaw is that sensitive information… | |||
| CVE-2023-44483 | 0.00 | — | 0.01 | Oct 20, 2023 | All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users… | |||
| CVE-2023-45809 | 0.00 | — | 0.00 | Oct 19, 2023 | Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from… | |||
| CVE-2023-45825 | 0.00 | — | 0.00 | Oct 19, 2023 | ydb-go-sdk is a pure Go native and database/sql driver for the YDB platform. Since ydb-go-sdk v3.48.6 if you use a custom credentials object (implementation of interface Credentials it may leak into logs. This happens because this object could be serialized into an error message… | |||
| CVE-2023-40029 | 0.00 | — | 0.01 | Sep 7, 2023 | Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored in`kubectl.kubernetes.io/last-applied-configuration` annotation. pull request #7139… | |||
| CVE-2023-41934 | 0.00 | — | 0.01 | Sep 6, 2023 | Jenkins Pipeline Maven Integration Plugin 1330.v18e473854496 and earlier does not properly mask (i.e., replace with asterisks) usernames of credentials specified in custom Maven settings in Pipeline build logs if "Treat username as secret" is checked. | |||
| CVE-2021-32050 | — | 0.00 | — | 0.00 | Aug 29, 2023 | Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care,… | ||
| CVE-2023-39348 | 0.00 | — | 0.00 | Aug 28, 2023 | Spinnaker is an open source, multi-cloud continuous delivery platform. Log output when updating GitHub status is improperly set to FULL always. It's recommended to apply the patch and rotate the GitHub token used for github status notifications. Given that this would output… | |||
| CVE-2023-40338 | 0.00 | — | 0.01 | Aug 16, 2023 | Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier displays an error message that includes an absolute path of a log file when attempting to access the Scan Organization Folder Log if no logs are available, exposing information about the Jenkins controller file system. | |||
| CVE-2023-4108 | 0.00 | — | 0.01 | Aug 11, 2023 | Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged |
- CVE-2024-23840Jan 30, 2024risk 0.00cvss —epss 0.00
GoReleaser builds Go binaries for several platforms, creates a GitHub release and then pushes a Homebrew formula to a tap repository. `goreleaser release --debug` log shows secret values used in the in the custom publisher. This vulnerability is fixed in 1.24.0.
- CVE-2024-23686Jan 19, 2024risk 0.00cvss —epss 0.01
DependencyCheck for Maven 9.0.0 to 9.0.6, for CLI version 9.0.0 to 9.0.5, and for Ant versions 9.0.0 to 9.0.5, when used in debug mode, allows an attacker to recover the NVD API Key from a log file.
- CVE-2024-21668Jan 9, 2024risk 0.00cvss —epss 0.00
react-native-mmkv is a library that allows easy use of MMKV inside React Native applications. Before version 2.11.0, the react-native-mmkv logged the optional encryption key for the MMKV database into the Android system log. The key can be obtained by anyone with access to the…
- CVE-2023-46742Jan 3, 2024risk 0.00cvss —epss 0.00
CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user…
- CVE-2023-49922Dec 12, 2023risk 0.00cvss —epss 0.01
An issue was discovered by Elastic whereby Beats and Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code except 409 or 429. Depending on the nature of the event that Beats or…
- CVE-2023-48708Nov 24, 2023risk 0.00cvss —epss 0.01
CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. In affected versions successful login attempts are recorded with the raw tokens stored in the log table. If a malicious person somehow views the data in the log table they can obtain a raw…
- CVE-2021-22143Nov 22, 2023risk 0.00cvss —epss 0.01
The Elastic APM .NET Agent can leak sensitive HTTP header information when logging the details during an application error. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application error it is…
- CVE-2023-47390Nov 11, 2023risk 0.00cvss —epss 0.01
Headscale through 0.22.3 writes bearer tokens to info-level logs.
- CVE-2023-46255Oct 31, 2023risk 0.00cvss —epss 0.00
SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed (e.g. by having a password which contains `:`) the full URI (including the…
- CVE-2023-46215Oct 28, 2023risk 0.00cvss —epss 0.01
Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend Note: the vulnerability is about the information…
- CVE-2023-31417Oct 26, 2023risk 0.00cvss —epss 0.00
Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. It was found that this filtering was not applied when requests to Elasticsearch use certain deprecated URIs for APIs. The impact of this flaw is that sensitive information…
- CVE-2023-44483Oct 20, 2023risk 0.00cvss —epss 0.01
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users…
- CVE-2023-45809Oct 19, 2023risk 0.00cvss —epss 0.00
Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from…
- CVE-2023-45825Oct 19, 2023risk 0.00cvss —epss 0.00
ydb-go-sdk is a pure Go native and database/sql driver for the YDB platform. Since ydb-go-sdk v3.48.6 if you use a custom credentials object (implementation of interface Credentials it may leak into logs. This happens because this object could be serialized into an error message…
- CVE-2023-40029Sep 7, 2023risk 0.00cvss —epss 0.01
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored in`kubectl.kubernetes.io/last-applied-configuration` annotation. pull request #7139…
- CVE-2023-41934Sep 6, 2023risk 0.00cvss —epss 0.01
Jenkins Pipeline Maven Integration Plugin 1330.v18e473854496 and earlier does not properly mask (i.e., replace with asterisks) usernames of credentials specified in custom Maven settings in Pipeline build logs if "Treat username as secret" is checked.
- CVE-2021-32050Aug 29, 2023risk 0.00cvss —epss 0.00
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care,…
- CVE-2023-39348Aug 28, 2023risk 0.00cvss —epss 0.00
Spinnaker is an open source, multi-cloud continuous delivery platform. Log output when updating GitHub status is improperly set to FULL always. It's recommended to apply the patch and rotate the GitHub token used for github status notifications. Given that this would output…
- CVE-2023-40338Aug 16, 2023risk 0.00cvss —epss 0.01
Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier displays an error message that includes an absolute path of a log file when attempting to access the Scan Organization Folder Log if no logs are available, exposing information about the Jenkins controller file system.
- CVE-2023-4108Aug 11, 2023risk 0.00cvss —epss 0.01
Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged