VYPR

CWE-532

Insertion of Sensitive Information into Log File

BaseIncompleteLikelihood: Medium

Description

The product writes sensitive information to a log file.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-215

CVEs mapped to this weakness (485)

page 24 of 25
  • CVE-2019-14864Jan 2, 2020
    risk 0.00cvss epss 0.02

    Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any…

  • CVE-2012-1156Nov 14, 2019
    risk 0.00cvss epss 0.02

    Moodle before 2.2.2 has users' private files included in course backups

  • CVE-2019-14858Oct 14, 2019
    risk 0.00cvss epss 0.00

    A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub…

  • CVE-2019-14846Oct 8, 2019
    risk 0.00cvss epss 0.01

    In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not…

  • CVE-2019-10212Oct 2, 2019
    risk 0.00cvss epss 0.02

    A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.

  • CVE-2019-11250Aug 29, 2019
    risk 0.00cvss epss 0.02

    The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token…

  • CVE-2019-10367Aug 7, 2019
    risk 0.00cvss epss 0.00

    Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied.

  • CVE-2019-10370Aug 7, 2019
    risk 0.00cvss epss 0.01

    Jenkins Mask Passwords Plugin 2.12.0 and earlier transmits globally configured passwords in plain text as part of the configuration form, potentially resulting in their exposure.

  • CVE-2019-10364Jul 31, 2019
    risk 0.00cvss epss 0.00

    Jenkins Amazon EC2 Plugin 1.43 and earlier wrote the beginning of private keys to the Jenkins system log.

  • CVE-2019-10345Jul 31, 2019
    risk 0.00cvss epss 0.00

    Jenkins Configuration as Code Plugin 1.20 and earlier did not treat the proxy password as a secret to be masked when logging or encrypted for export.

  • CVE-2019-10358Jul 31, 2019
    risk 0.00cvss epss 0.01

    Jenkins Maven Integration Plugin 3.3 and earlier did not apply build log decorators to module builds, potentially revealing sensitive build variables in the build log.

  • CVE-2019-10343Jul 31, 2019
    risk 0.00cvss epss 0.00

    Jenkins Configuration as Code Plugin 1.24 and earlier did not properly apply masking to values expected to be hidden when logging the configuration being applied.

  • CVE-2019-13509Jul 18, 2019
    risk 0.00cvss epss 0.04

    In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes…

  • CVE-2019-3888Jun 12, 2019
    risk 0.00cvss epss 0.03

    A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFaile…

  • CVE-2019-3830Mar 26, 2019
    risk 0.00cvss epss 0.00

    A vulnerability was found in ceilometer before version 12.0.0.0rc1. An Information Exposure in ceilometer-agent prints sensitive configuration data to log files without DEBUG logging being activated.

  • CVE-2018-16856Mar 26, 2019
    risk 0.00cvss epss 0.01

    In a default Red Hat Openstack Platform Director installation, openstack-octavia before versions openstack-octavia 2.0.2-5 and openstack-octavia-3.0.1-0.20181009115732 creates log files that are readable by all users. Sensitive information such as private keys can appear in…

  • CVE-2018-16859Nov 29, 2018
    risk 0.00cvss epss 0.01

    Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the…

  • CVE-2018-1000123CriMar 13, 2018
    risk 0.00cvss 9.8epss 0.01

    Ionic Team Cordova plugin iOS Keychain version before commit 18233ca25dfa92cca018b9c0935f43f78fd77fbf contains an Information Exposure Through Log Files (CWE-532) vulnerability in CDVKeychain.m that can result in login, password and other sensitive data leakage. This attack…

  • CVE-2018-1000060CriFeb 9, 2018
    risk 0.00cvss 9.8epss 0.02

    Sensu, Inc. Sensu Core version Before 1.2.0 & before commit 46ff10023e8cbf1b6978838f47c51b20b98fe30b contains a CWE-522 vulnerability in Sensu::Utilities.redact_sensitive() that can result in sensitive configuration data (e.g. passwords) may be logged in clear-text. This attack…

  • CVE-2014-1948Feb 14, 2014
    risk 0.00cvss epss 0.00

    OpenStack Image Registry and Delivery Service (Glance) 2013.2 through 2013.2.1 and Icehouse before icehouse-2 logs a URL containing the Swift store backend password when authentication fails and WARNING level logging is enabled, which allows local users to obtain sensitive…