VYPR

CWE-532

Insertion of Sensitive Information into Log File

BaseIncompleteLikelihood: Medium

Description

The product writes sensitive information to a log file.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-215

CVEs mapped to this weakness (485)

page 21 of 25
  • CVE-2023-34236Jul 14, 2023
    risk 0.00cvss epss 0.01

    Weave GitOps Terraform Controller (aka Weave TF-controller) is a controller for Flux to reconcile Terraform resources in a GitOps way. A vulnerability has been identified in Weave GitOps Terraform Controller which could allow an authenticated remote attacker to view sensitive…

  • CVE-2023-2878Jun 7, 2023
    risk 0.00cvss epss 0.00

    Kubernetes secrets-store-csi-driver in versions before 1.3.3 discloses service account tokens in logs.

  • CVE-2023-33001May 16, 2023
    risk 0.00cvss epss 0.01

    Jenkins HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

  • CVE-2023-29471Apr 27, 2023
    risk 0.00cvss epss 0.00

    Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

  • CVE-2023-30618Apr 21, 2023
    risk 0.00cvss epss 0.00

    Kitchen-Terraform provides a set of Test Kitchen plugins which enable the use of Test Kitchen to converge a Terraform configuration and verify the resulting infrastructure systems with InSpec controls. Kitchen-Terraform v7.0.0 introduced a regression which caused all Terraform…

  • CVE-2023-30610Apr 19, 2023
    risk 0.00cvss epss 0.00

    aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The `aws_sigv4::SigningParams` struct had a derived `Debug` implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When…

  • CVE-2023-29002Apr 18, 2023
    risk 0.00cvss epss 0.00

    Cilium is a networking, observability, and security solution with an eBPF-based dataplane. When run in debug mode, Cilium will log the contents of the `cilium-secrets` namespace. This could include data such as TLS private keys for Ingress and GatewayAPI resources. An attacker…

  • CVE-2023-25721Mar 28, 2023
    risk 0.00cvss epss 0.01

    Veracode Scan Jenkins Plugin before 23.3.19.0, when the "Connect using proxy" option is enabled and configured with proxy credentials and when the Jenkins global system setting debug is enabled and when a scan is configured for remote agent jobs, allows users (with access to…

  • CVE-2021-3684Mar 24, 2023
    risk 0.00cvss epss 0.00

    A vulnerability was found in OpenShift Assisted Installer. During generation of the Discovery ISO, image pull secrets were leaked as plaintext in the installation logs. An authenticated user could exploit this by re-using the image pull secret to pull container images from the…

  • CVE-2023-28443Mar 23, 2023
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version…

  • CVE-2023-20859Mar 23, 2023
    risk 0.00cvss epss 0.00

    In Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token.

  • CVE-2023-0815Feb 23, 2023
    risk 0.00cvss epss 0.01

    Potential Insertion of Sensitive Information into Jetty Log Files in multiple versions of OpenNMS Meridian and Horizon could allow disclosure of usernames and passwords if the logging level is set to debug. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4.…

  • CVE-2023-25163Feb 8, 2023
    risk 0.00cvss epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are…

  • CVE-2023-24827Feb 7, 2023
    risk 0.00cvss epss 0.01

    syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. A password disclosure flaw was found in Syft versions v0.69.0 and v0.69.1. This flaw leaks the password stored in the SYFT_ATTEST_PASSWORD environment…

  • CVE-2023-22733Jan 17, 2023
    risk 0.00cvss epss 0.01

    Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions the log module would write out all kind of sent mails. An attacker with access to either the local system logs or a centralized logging store may have access to other users…

  • CVE-2022-23469Dec 8, 2022
    risk 0.00cvss epss 0.01

    Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the…

  • CVE-2022-31684Oct 19, 2022
    risk 0.00cvss epss 0.01

    Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level…

  • CVE-2022-0718Aug 29, 2022
    risk 0.00cvss epss 0.01

    A flaw was found in python-oslo-utils. Due to improper parsing, passwords with a double quote ( " ) in them cause incorrect masking in debug logs, causing any part of the password after the double quote to be plaintext.

  • CVE-2022-38149Aug 17, 2022
    risk 0.00cvss epss 0.01

    HashiCorp Consul Template up to 0.27.2, 0.28.2, and 0.29.1 may expose the contents of Vault secrets in the error returned by the *template.Template.Execute method, when given a template using Vault secret contents incorrectly. Fixed in 0.27.3, 0.28.3, and 0.29.2.

  • CVE-2022-31186Aug 1, 2022
    risk 0.00cvss epss 0.00

    NextAuth.js is a complete open source authentication solution for Next.js applications. An information disclosure vulnerability in `next-auth` before `v4.10.2` and `v3.29.9` allows an attacker with log access privilege to obtain excessive information such as an identity…