CWE-532
Insertion of Sensitive Information into Log File
Description
The product writes sensitive information to a log file.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-215
CVEs mapped to this weakness (485)
page 22 of 25| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-31098 | 0.00 | — | 0.01 | Jun 27, 2022 | Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in the logging of Weave GitOps could allow an authenticated remote attacker to view sensitive cluster configurations, aka… | |||
| CVE-2022-31047 | 0.00 | — | 0.01 | Jun 14, 2022 | TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, system internal credentials or keys (e.g. database credentials) can be logged as plaintext in exception handlers, when logging the complete… | |||
| CVE-2022-29810 | — | 0.00 | — | 0.00 | Apr 27, 2022 | The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter. | ||
| CVE-2022-26907 | 0.00 | — | 0.02 | Apr 15, 2022 | Azure SDK for .NET Information Disclosure Vulnerability | |||
| CVE-2022-24758 | 0.00 | — | 0.01 | Mar 31, 2022 | The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter… | |||
| CVE-2022-24757 | 0.00 | — | 0.01 | Mar 23, 2022 | The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications. Prior to version 1.15.4, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other… | |||
| CVE-2021-20180 | — | 0.00 | — | 0.00 | Mar 16, 2022 | A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat… | ||
| CVE-2022-27195 | 0.00 | — | 0.00 | Mar 15, 2022 | Jenkins Parameterized Trigger Plugin 2.43 and earlier captures environment variables passed to builds triggered using Jenkins Parameterized Trigger Plugin, including password parameter values, in their `build.xml` files. These values are stored unencrypted and can be viewed by… | |||
| CVE-2022-0338 | — | 0.00 | — | 0.01 | Jan 25, 2022 | Insertion of Sensitive Information into Log File in Conda loguru prior to 0.5.3. | ||
| CVE-2021-34797 | — | 0.00 | — | 0.03 | Jan 4, 2022 | Apache Geode versions up to 1.12.4 and 1.13.4 are vulnerable to a log file redaction of sensitive information flaw when using values that begin with characters other than letters or numbers for passwords and security properties with the prefix "sysprop-", "javax.net.ssl", or… | ||
| CVE-2021-32724 | 0.00 | — | 0.02 | Sep 9, 2021 | check-spelling is a github action which provides CI spell checking. In affected versions and for a repository with the [check-spelling action](https://github.com/marketplace/actions/check-spelling) enabled that triggers on `pull_request_target` (or `schedule`), an attacker can… | |||
| CVE-2021-37709 | — | 0.00 | — | 0.01 | Aug 16, 2021 | Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3,… | ||
| CVE-2021-32767 | 0.00 | — | 0.01 | Jul 20, 2021 | TYPO3 is an open source PHP based web content management system. In versions 9.0.0 through 9.5.27, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0, user credentials may been logged as plain-text. This occurs when explicitly using log level debug, which is not the default… | |||
| CVE-2021-20191 | — | 0.00 | — | 0.00 | May 26, 2021 | A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this… | ||
| CVE-2021-20178 | — | 0.00 | — | 0.00 | May 26, 2021 | A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat… | ||
| CVE-2021-32074 | — | 0.00 | — | 0.02 | May 7, 2021 | HashiCorp vault-action (aka Vault GitHub Action) before 2.2.0 allows attackers to obtain sensitive information from log files because a multi-line secret was not correctly registered with GitHub Actions for log masking. | ||
| CVE-2021-21361 | — | 0.00 | — | 0.01 | Mar 9, 2021 | The `com.bmuschko:gradle-vagrant-plugin` Gradle plugin contains an information disclosure vulnerability due to the logging of the system environment variables. When this Gradle plugin is executed in public CI/CD, this can lead to sensitive credentials being exposed to malicious… | ||
| CVE-2020-7021 | 0.00 | — | 0.01 | Feb 10, 2021 | Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow… | |||
| CVE-2021-22133 | 0.00 | — | 0.01 | Feb 10, 2021 | The Elastic APM agent for Go versions before 1.11.0 can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an… | |||
| CVE-2020-8563 | 0.00 | — | 0.01 | Dec 7, 2020 | In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3. |
- CVE-2022-31098Jun 27, 2022risk 0.00cvss —epss 0.01
Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in the logging of Weave GitOps could allow an authenticated remote attacker to view sensitive cluster configurations, aka…
- CVE-2022-31047Jun 14, 2022risk 0.00cvss —epss 0.01
TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, system internal credentials or keys (e.g. database credentials) can be logged as plaintext in exception handlers, when logging the complete…
- CVE-2022-29810Apr 27, 2022risk 0.00cvss —epss 0.00
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.
- CVE-2022-26907Apr 15, 2022risk 0.00cvss —epss 0.02
Azure SDK for .NET Information Disclosure Vulnerability
- CVE-2022-24758Mar 31, 2022risk 0.00cvss —epss 0.01
The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter…
- CVE-2022-24757Mar 23, 2022risk 0.00cvss —epss 0.01
The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications. Prior to version 1.15.4, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other…
- CVE-2021-20180Mar 16, 2022risk 0.00cvss —epss 0.00
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat…
- CVE-2022-27195Mar 15, 2022risk 0.00cvss —epss 0.00
Jenkins Parameterized Trigger Plugin 2.43 and earlier captures environment variables passed to builds triggered using Jenkins Parameterized Trigger Plugin, including password parameter values, in their `build.xml` files. These values are stored unencrypted and can be viewed by…
- CVE-2022-0338Jan 25, 2022risk 0.00cvss —epss 0.01
Insertion of Sensitive Information into Log File in Conda loguru prior to 0.5.3.
- CVE-2021-34797Jan 4, 2022risk 0.00cvss —epss 0.03
Apache Geode versions up to 1.12.4 and 1.13.4 are vulnerable to a log file redaction of sensitive information flaw when using values that begin with characters other than letters or numbers for passwords and security properties with the prefix "sysprop-", "javax.net.ssl", or…
- CVE-2021-32724Sep 9, 2021risk 0.00cvss —epss 0.02
check-spelling is a github action which provides CI spell checking. In affected versions and for a repository with the [check-spelling action](https://github.com/marketplace/actions/check-spelling) enabled that triggers on `pull_request_target` (or `schedule`), an attacker can…
- CVE-2021-37709Aug 16, 2021risk 0.00cvss —epss 0.01
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3,…
- CVE-2021-32767Jul 20, 2021risk 0.00cvss —epss 0.01
TYPO3 is an open source PHP based web content management system. In versions 9.0.0 through 9.5.27, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0, user credentials may been logged as plain-text. This occurs when explicitly using log level debug, which is not the default…
- CVE-2021-20191May 26, 2021risk 0.00cvss —epss 0.00
A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this…
- CVE-2021-20178May 26, 2021risk 0.00cvss —epss 0.00
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat…
- CVE-2021-32074May 7, 2021risk 0.00cvss —epss 0.02
HashiCorp vault-action (aka Vault GitHub Action) before 2.2.0 allows attackers to obtain sensitive information from log files because a multi-line secret was not correctly registered with GitHub Actions for log masking.
- CVE-2021-21361Mar 9, 2021risk 0.00cvss —epss 0.01
The `com.bmuschko:gradle-vagrant-plugin` Gradle plugin contains an information disclosure vulnerability due to the logging of the system environment variables. When this Gradle plugin is executed in public CI/CD, this can lead to sensitive credentials being exposed to malicious…
- CVE-2020-7021Feb 10, 2021risk 0.00cvss —epss 0.01
Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow…
- CVE-2021-22133Feb 10, 2021risk 0.00cvss —epss 0.01
The Elastic APM agent for Go versions before 1.11.0 can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an…
- CVE-2020-8563Dec 7, 2020risk 0.00cvss —epss 0.01
In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3.