CWE-532
Insertion of Sensitive Information into Log File
BaseIncompleteLikelihood: Medium
Description
The product writes sensitive information to a log file.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-215
CVEs mapped to this weakness (243)
page 4 of 13| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2016-0875 | Hig | 0.49 | 7.5 | 0.01 | May 31, 2016 | Moxa Secure Router EDR-G903 devices before 3.4.12 allow remote attackers to read configuration and log files via a crafted URL. | |
| CVE-2025-41690 | Hig | 0.48 | 7.4 | 0.00 | Sep 2, 2025 | A low-privileged attacker in bluetooth range may be able to access the password of a higher-privilege user (Maintenance) by viewing the device’s event log. This vulnerability could allow the Operator to authenticate as the Maintenance user, thereby gaining unauthorized access to sensitive configuration settings and the ability to modify device parameters. | |
| CVE-2026-20205 | Hig | 0.47 | 7.2 | 0.00 | Apr 15, 2026 | In Splunk MCP Server app versions below 1.0.3 , a user who holds a role with access to the Splunk `_internal` index or possesses the high-privilege capability `mcp_tool_admin` could view users session and authorization tokens in clear text.<br><br>The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. <br><br>Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Connecting to MCP Server and Admin settings](https://help.splunk.com/en/splunk-enterprise/mcp-server-for-splunk-platform/connecting-to-mcp-server-and-admin-settings) in the Splunk documentation for more information. | |
| CVE-2025-31479 | Hig | 0.46 | 8.2 | 0.00 | Apr 2, 2025 | canonical/get-workflow-version-action is a GitHub composite action to get commit SHA that GitHub Actions reusable workflow was called with. Prior to 1.0.1, if the get-workflow-version-action step fails, the exception output may include the GITHUB_TOKEN. If the full token is included in the exception output, GitHub will automatically redact the secret from the GitHub Actions logs. However, the token may be truncated—causing part of the GITHUB_TOKEN to be displayed in plaintext in the GitHub Actions logs. Anyone with read access to the GitHub repository can view GitHub Actions logs. For public repositories, anyone can view the GitHub Actions logs. The opportunity to exploit this vulnerability is limited—the GITHUB_TOKEN is automatically revoked when the job completes. However, there is an opportunity for an attack in the time between the GITHUB_TOKEN being displayed in the logs and the completion of the job. Users using the github-token input are impacted. This vulnerability is fixed in 1.0.1. | |
| CVE-2025-54064 | Med | 0.45 | — | 0.00 | Jul 17, 2025 | Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. The common Rucio helm-charts for the `rucio-server`, `rucio-ui`, and `rucio-webui` define the log format for the apache access log of these components. The `X-Rucio-Auth-Token`, which is part of each request header sent to Rucio, is part of this log format. Thus, each access log line potentially exposes the credentials (Internal Rucio token, or JWT in case of OIDC authentication) of the user. Due to the length of the token (Especially for a JWT) the tokens are often truncated, and thus not usable as credential; nevertheless, the (partial) credential should not be part of the logfile. The impact of this issue is amplified if the access logs are made available to a larger group of people than the instance administrators themselves. An updated release has been supplied for the `rucio-server`, `rucio-ui` and `rucio-webui` helm-chart. The change was also retrofitted for the currently supported Rucio LTS releases. The patched versions are rucio-server 37.0.2, 35.0.1, and 32.0.1; rucio-ui 37.0.4, 35.0.1, and 32.0.2; and rucio-webui 37.0.2, 35.1.1, and 32.0.1. As a workaround, one may update the `logFormat` variable and remove the `X-Rucio-Auth-Token`. | |
| CVE-2025-8864 | Med | 0.44 | — | 0.00 | Aug 11, 2025 | Shared Access Signature token is not masked in the backup configuration response and is also exposed in the yb_backup logs | |
| CVE-2025-7371 | Med | 0.44 | 6.8 | 0.00 | Jul 22, 2025 | Okta On-Premises Provisioning (OPP) agents log certain user data during administrator-initiated password resets. This vulnerability allows an attacker with access to the local servers running OPP agents to retrieve user personal information and temporary passwords created during password reset. You are affected by this vulnerability if the following preconditions are met: Local server running OPP agent with versions >=2.2.1 and <= 2.3.0, and User account has had an administrator-initiated password reset while using the affected versions. | |
| CVE-2024-32757 | Med | 0.44 | 6.8 | 0.00 | Jul 2, 2024 | Under certain circumstances unnecessary user details are provided within system logs | |
| CVE-2024-27157 | Med | 0.44 | 6.8 | 0.00 | Jun 14, 2024 | The sessions are stored in clear-text logs. An attacker can retrieve authentication sessions. A remote attacker can retrieve the credentials and bypass the authentication mechanism. As for the affected products/models/versions, see the reference URL. | |
| CVE-2024-27156 | Med | 0.44 | 6.8 | 0.00 | Jun 14, 2024 | The session cookies, used for authentication, are stored in clear-text logs. An attacker can retrieve authentication sessions. A remote attacker can retrieve the credentials and bypass the authentication mechanism. As for the affected products/models/versions, see the reference URL. | |
| CVE-2024-22440 | Med | 0.44 | 6.8 | 0.00 | Apr 17, 2024 | A potential security vulnerability has been identified in HPE Compute Scale-up Server 3200 server. This vulnerability could cause disclosure of sensitive information in log files. | |
| CVE-2025-43937 | Med | 0.43 | 6.6 | 0.00 | Apr 16, 2026 | Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an insertion of sensitive information into log file vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. | |
| CVE-2026-41219 | Med | 0.42 | 6.5 | 0.00 | May 13, 2026 | An improper sanitization vulnerability exists in the BIG-IP QKView utility that allows a low-privileged attacker to read sensitive information from a QKView file. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |
| CVE-2026-4901 | Med | 0.42 | 6.5 | 0.00 | Apr 9, 2026 | Hydrosystem Control System saves sensitive information into a log file. Critically, user credentials are logged allowing the attacker to obtain further authorized access into the system. Combined with vulnerability CVE-2026-34184, these sensitive information could be accessed by an unauthorized user.This issue was fixed in Hydrosystem Control System version 9.8.5 | |
| CVE-2026-32982 | Hig | 0.42 | 7.5 | 0.00 | Mar 31, 2026 | OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia function that exposes Telegram bot tokens in error messages. When media downloads fail, the original Telegram file URLs containing bot tokens are embedded in MediaFetchError strings and leaked to logs and error surfaces. | |
| CVE-2026-1495 | Med | 0.42 | 6.5 | 0.00 | Feb 10, 2026 | The vulnerability, if exploited, could allow an attacker with Event Log Reader (S-1-5-32-573) privileges to obtain proxy details, including URL and proxy credentials, from the PI to CONNECT event log files. This could enable unauthorized access to the proxy server. | |
| CVE-2025-54376 | Hig | 0.42 | 7.5 | 0.00 | Sep 10, 2025 | Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream real-time application logs (information disclosure) and/or gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs. Version 1.12.0 contains a fix for the issue. | |
| CVE-2025-7445 | Med | 0.42 | 6.5 | 0.00 | Sep 5, 2025 | Kubernetes secrets-store-sync-controller in versions before 0.0.2 discloses service account tokens in logs. | |
| CVE-2025-25013 | Med | 0.42 | 6.5 | 0.00 | Apr 8, 2025 | Improper restriction of environment variables in Elastic Defend can lead to exposure of sensitive information such as API keys and tokens via automatic transmission of unfiltered environment variables to the stack. | |
| CVE-2025-30205 | Hig | 0.42 | 7.6 | 0.00 | Mar 24, 2025 | kanidim-provision is a helper utility that uses kanidm's API to provision users, groups and oauth2 systems. Prior to version 1.2.0, a faulty function intrumentation in the (optional) kanidm patches provided by kandim-provision will cause the provisioned admin credentials to be leaked to the system log. This only impacts users which both use the provided patches and provision their `admin` or `idm_admin` account credentials this way. No other credentials are affected. Users should recompile kanidm with the newest patchset from tag `v1.2.0` or higher. As a workaround, the user can set the log level `KANIDM_LOG_LEVEL` to any level higher than `info`, for example `warn`. |