CWE-532
Insertion of Sensitive Information into Log File
Description
The product writes sensitive information to a log file.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-215
CVEs mapped to this weakness (485)
page 23 of 25| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-8564 | 0.00 | — | 0.00 | Dec 7, 2020 | In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. This affects < v1.19.3, < v1.18.10, < v1.17.13. | |||
| CVE-2020-8565 | 0.00 | — | 0.01 | Dec 7, 2020 | In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2. | |||
| CVE-2020-8566 | 0.00 | — | 0.01 | Dec 7, 2020 | In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims. This affects < v1.19.3, < v1.18.10, <… | |||
| CVE-2020-25640 | 0.00 | — | 0.01 | Nov 24, 2020 | A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file. | |||
| CVE-2020-10763 | — | 0.00 | — | 0.00 | Nov 24, 2020 | An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords. | ||
| CVE-2020-9486 | — | 0.00 | — | 0.04 | Oct 1, 2020 | In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext. | ||
| CVE-2020-14332 | 0.00 | — | 0.00 | Sep 11, 2020 | A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is… | |||
| CVE-2020-14330 | 0.00 | — | 0.01 | Sep 11, 2020 | An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other… | |||
| CVE-2020-15095 | 0.00 | — | 0.00 | Jul 7, 2020 | Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and… | |||
| CVE-2020-10750 | — | 0.00 | — | 0.00 | Jun 19, 2020 | Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger before version 1.18.1 when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials. | ||
| CVE-2020-13223 | — | 0.00 | — | 0.01 | Jun 10, 2020 | HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2. | ||
| CVE-2020-11094 | 0.00 | — | 0.01 | Jun 3, 2020 | The October CMS debugbar plugin before version 3.1.0 contains a feature where it will log all requests (and all information pertaining to each request including session data) whenever it is enabled. This presents a problem if the plugin is ever enabled on a system that is open… | |||
| CVE-2020-7654 | — | 0.00 | — | 0.01 | May 29, 2020 | All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG. | ||
| CVE-2020-1698 | 0.00 | — | 0.00 | May 11, 2020 | A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality. | |||
| CVE-2020-7599 | — | 0.00 | — | 0.00 | Mar 30, 2020 | All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this… | ||
| CVE-2020-5262 | 0.00 | — | 0.01 | Mar 19, 2020 | In EasyBuild before version 4.1.2, the GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like `--new-pr`, `--fro,-pr`, etc.) is shown in plain text in EasyBuild debug log files. This issue is fixed in EasyBuild v4.1.2, and in the `master`+… | |||
| CVE-2020-1753 | 0.00 | — | 0.01 | Mar 16, 2020 | A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are… | |||
| CVE-2020-1942 | — | 0.00 | — | 0.03 | Feb 11, 2020 | In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and… | ||
| CVE-2020-1928 | 0.00 | — | 0.04 | Jan 28, 2020 | An information disclosure vulnerability was found in Apache NiFi 1.10.0. The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present. | |||
| CVE-2020-5225 | 0.00 | — | 0.01 | Jan 24, 2020 | Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under… |
- CVE-2020-8564Dec 7, 2020risk 0.00cvss —epss 0.00
In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. This affects < v1.19.3, < v1.18.10, < v1.17.13.
- CVE-2020-8565Dec 7, 2020risk 0.00cvss —epss 0.01
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.
- CVE-2020-8566Dec 7, 2020risk 0.00cvss —epss 0.01
In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims. This affects < v1.19.3, < v1.18.10, <…
- CVE-2020-25640Nov 24, 2020risk 0.00cvss —epss 0.01
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.
- CVE-2020-10763Nov 24, 2020risk 0.00cvss —epss 0.00
An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords.
- CVE-2020-9486Oct 1, 2020risk 0.00cvss —epss 0.04
In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext.
- CVE-2020-14332Sep 11, 2020risk 0.00cvss —epss 0.00
A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is…
- CVE-2020-14330Sep 11, 2020risk 0.00cvss —epss 0.01
An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other…
- CVE-2020-15095Jul 7, 2020risk 0.00cvss —epss 0.00
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and…
- CVE-2020-10750Jun 19, 2020risk 0.00cvss —epss 0.00
Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger before version 1.18.1 when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials.
- CVE-2020-13223Jun 10, 2020risk 0.00cvss —epss 0.01
HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2.
- CVE-2020-11094Jun 3, 2020risk 0.00cvss —epss 0.01
The October CMS debugbar plugin before version 3.1.0 contains a feature where it will log all requests (and all information pertaining to each request including session data) whenever it is enabled. This presents a problem if the plugin is ever enabled on a system that is open…
- CVE-2020-7654May 29, 2020risk 0.00cvss —epss 0.01
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.
- CVE-2020-1698May 11, 2020risk 0.00cvss —epss 0.00
A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality.
- CVE-2020-7599Mar 30, 2020risk 0.00cvss —epss 0.00
All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this…
- CVE-2020-5262Mar 19, 2020risk 0.00cvss —epss 0.01
In EasyBuild before version 4.1.2, the GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like `--new-pr`, `--fro,-pr`, etc.) is shown in plain text in EasyBuild debug log files. This issue is fixed in EasyBuild v4.1.2, and in the `master`+…
- CVE-2020-1753Mar 16, 2020risk 0.00cvss —epss 0.01
A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are…
- CVE-2020-1942Feb 11, 2020risk 0.00cvss —epss 0.03
In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and…
- CVE-2020-1928Jan 28, 2020risk 0.00cvss —epss 0.04
An information disclosure vulnerability was found in Apache NiFi 1.10.0. The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present.
- CVE-2020-5225Jan 24, 2020risk 0.00cvss —epss 0.01
Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under…