CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1744 vulnerabilities reference this CWE, most recent first.
GHSA-9M52-7WVP-69MV
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32IBM Spectrum Protect Plus 10.1.0 and 10.1.1 could disclose sensitive information when an authorized user executes a test operation, the user id an password may be displayed in plain text within an instrumentation log file. IBM X-Force ID: 148622.
{
"affected": [],
"aliases": [
"CVE-2018-1768"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-26T15:29:00Z",
"severity": "HIGH"
},
"details": "IBM Spectrum Protect Plus 10.1.0 and 10.1.1 could disclose sensitive information when an authorized user executes a test operation, the user id an password may be displayed in plain text within an instrumentation log file. IBM X-Force ID: 148622.",
"id": "GHSA-9m52-7wvp-69mv",
"modified": "2022-05-13T01:32:43Z",
"published": "2022-05-13T01:32:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1768"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/148622"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10729219"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041715"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9MQ7-8HM8-Q3MP
Vulnerability from github – Published: 2024-08-12 15:30 – Updated: 2025-09-29 15:30An issue was discovered whereby Elastic Agent will leak secrets from the agent policy elastic-agent.yml only when the log level is configured to debug. By default the log level is set to info, where no leak occurs.
{
"affected": [],
"aliases": [
"CVE-2024-37283"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-12T13:38:23Z",
"severity": "MODERATE"
},
"details": "An issue was discovered whereby Elastic Agent will leak secrets from the agent policy elastic-agent.yml only when the log level is configured to debug. By default the log level is set to info, where no leak occurs.",
"id": "GHSA-9mq7-8hm8-q3mp",
"modified": "2025-09-29T15:30:29Z",
"published": "2024-08-12T15:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37283"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/elastic-agent-8-15-0-security-update-esa-2024-23/364635"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9P5V-74F3-3RQ6
Vulnerability from github – Published: 2024-02-17 18:30 – Updated: 2024-02-17 18:30IBM QRadar Suite 1.10.12.0 through 1.10.17.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 279975.
{
"affected": [],
"aliases": [
"CVE-2024-22335"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-17T16:15:47Z",
"severity": "MODERATE"
},
"details": "IBM QRadar Suite 1.10.12.0 through 1.10.17.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 279975.",
"id": "GHSA-9p5v-74f3-3rq6",
"modified": "2024-02-17T18:30:31Z",
"published": "2024-02-17T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22335"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279975"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7118642"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9P7W-W5Q6-MXJ3
Vulnerability from github – Published: 2026-05-28 18:30 – Updated: 2026-07-02 18:01In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the SERVICEACCOUNT_TOKEN placeholder (Canal/Flannel-Calico deployments), the installer substitutes the live Kubernetes ServiceAccount bearer token before logging, exposing the token to any authenticated user with pods/log permission in the namespace with calico-node. The token holds patch privileges on pods/status, enabling annotation-based attacks against cluster workloads. The default kubeconfig-based authentication path is not affected. This is a direct regression of TTA-2018-001.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/projectcalico/calico"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "3.31.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/projectcalico/calico"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.0-cni-plugin.0.20260417001138-cd73bc2cea0f"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41184"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T18:01:02Z",
"nvd_published_at": "2026-05-28T17:16:22Z",
"severity": "MODERATE"
},
"details": "In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder (Canal/Flannel-Calico deployments), the installer substitutes the live Kubernetes ServiceAccount bearer token before logging, exposing the token to any authenticated user with pods/log permission in the namespace with calico-node. The token holds patch privileges on pods/status, enabling annotation-based attacks against cluster workloads. The default kubeconfig-based authentication path is not affected. This is a direct regression of TTA-2018-001.",
"id": "GHSA-9p7w-w5q6-mxj3",
"modified": "2026-07-02T18:01:02Z",
"published": "2026-05-28T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41184"
},
{
"type": "WEB",
"url": "https://github.com/projectcalico/calico/pull/12502"
},
{
"type": "WEB",
"url": "https://github.com/projectcalico/calico/pull/12526"
},
{
"type": "WEB",
"url": "https://github.com/projectcalico/calico/pull/12527"
},
{
"type": "WEB",
"url": "https://github.com/projectcalico/calico/commit/0ca653db0ae7400ea9fb066daa7f45c902482271"
},
{
"type": "WEB",
"url": "https://github.com/projectcalico/calico/commit/cd73bc2cea0f4989772f2deb93909e7cfac927e0"
},
{
"type": "WEB",
"url": "https://github.com/projectcalico/calico/commit/da9ea3a13927a35e4022b787d17a005b2157d812"
},
{
"type": "PACKAGE",
"url": "https://github.com/projectcalico/calico"
},
{
"type": "WEB",
"url": "https://www.tigera.io/security-bulletins/tta-2026-001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L",
"type": "CVSS_V4"
}
],
"summary": "Calico Inserts Sensitive Information into Log File"
}
GHSA-9PG3-25FQ-P6CC
Vulnerability from github – Published: 2026-06-10 22:13 – Updated: 2026-06-10 22:13internal/web/operators.go:251 — after handleOperatorCreateAPIKey mints a fresh 32-byte bearer token, the redirect points the operator's browser at:
/ui/operators/<id>?new_key=<raw-token>&key_name=<name>
The raw API key ends up:
- in the browser's URL history
- in the Referer header on every cross-origin asset the detail page loads (any third-party SVG/CSS/JS resource the layout pulls in)
- in any reverse-proxy or load-balancer access log on the path (nginx default combined log captures the query string)
- in any structured log sink the operator's local browser-history backup tool ships out
Authorization: Bearer <token> headers go through the same hops without these problems because access logs typically don't capture request headers and the browser doesn't replay headers cross-origin.
Same handler also appends name (r.FormValue("name")) to the query string without url.QueryEscape, so an & in the operator-supplied key name corrupts query parsing and a \r\n in older proxies could split response headers.
Affected
All released versions up to v0.3.1.
Reproducer
As admin, create an API key via /ui/operators/<id>/api-keys (form POST). The 303 Location header carries the raw token in the query string. Open browser DevTools → Network → response headers; or check the reverse-proxy access log; or check the operator-detail page's Referer-emitting fetches.
Suggested fix
Stash the raw key in a one-shot server-side flash storage (e.g., a row in operator_sessions keyed by session token, with a one_shot_token column and consumed_at) or in a short-lived signed cookie. Render the key once inline on the detail page after the redirect, and clear the storage on render. Pattern mirrors the recovery-codes display in the TOTP flow.
If the flash-storage refactor is too invasive, the minimal fix is to render the key inline via a POST → 200 OK with HTML (no redirect), losing the post-redirect-get idiom but eliminating the URL exposure.
Also fix name query encoding with url.QueryEscape regardless of which fix shape lands.
CVSS estimate
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N — 5.5 (medium). AV:L because realistic exploit requires log-read access on shared infrastructure (proxy, CDN, browser-history backup) the operator's session touches.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.3.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/juev/nebula-mesh"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47768"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-532",
"CWE-598"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-10T22:13:45Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "`internal/web/operators.go:251` \u2014 after `handleOperatorCreateAPIKey` mints a fresh 32-byte bearer token, the redirect points the operator\u0027s browser at:\n\n /ui/operators/\u003cid\u003e?new_key=\u003craw-token\u003e\u0026key_name=\u003cname\u003e\n\nThe raw API key ends up:\n- in the browser\u0027s URL history\n- in the `Referer` header on every cross-origin asset the detail page loads (any third-party SVG/CSS/JS resource the layout pulls in)\n- in any reverse-proxy or load-balancer access log on the path (nginx default `combined` log captures the query string)\n- in any structured log sink the operator\u0027s local browser-history backup tool ships out\n\n`Authorization: Bearer \u003ctoken\u003e` headers go through the same hops without these problems because access logs typically don\u0027t capture request headers and the browser doesn\u0027t replay headers cross-origin.\n\nSame handler also appends `name` (`r.FormValue(\"name\")`) to the query string without `url.QueryEscape`, so an `\u0026` in the operator-supplied key name corrupts query parsing and a `\\r\\n` in older proxies could split response headers.\n\n## Affected\nAll released versions up to v0.3.1.\n\n## Reproducer\nAs admin, create an API key via `/ui/operators/\u003cid\u003e/api-keys` (form POST). The 303 Location header carries the raw token in the query string. Open browser DevTools \u2192 Network \u2192 response headers; or check the reverse-proxy access log; or check the operator-detail page\u0027s `Referer`-emitting fetches.\n\n## Suggested fix\nStash the raw key in a one-shot server-side flash storage (e.g., a row in `operator_sessions` keyed by session token, with a `one_shot_token` column and `consumed_at`) or in a short-lived signed cookie. Render the key once inline on the detail page after the redirect, and clear the storage on render. Pattern mirrors the recovery-codes display in the TOTP flow.\n\nIf the flash-storage refactor is too invasive, the minimal fix is to render the key inline via a `POST` \u2192 `200 OK with HTML` (no redirect), losing the post-redirect-get idiom but eliminating the URL exposure.\n\nAlso fix `name` query encoding with `url.QueryEscape` regardless of which fix shape lands.\n\n## CVSS estimate\nAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N \u2014 5.5 (medium). AV:L because realistic exploit requires log-read access on shared infrastructure (proxy, CDN, browser-history backup) the operator\u0027s session touches.",
"id": "GHSA-9pg3-25fq-p6cc",
"modified": "2026-06-10T22:13:45Z",
"published": "2026-06-10T22:13:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/juev/nebula-mesh/security/advisories/GHSA-9pg3-25fq-p6cc"
},
{
"type": "PACKAGE",
"url": "https://github.com/juev/nebula-mesh"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs)"
}
GHSA-9Q2H-6VM8-8WPJ
Vulnerability from github – Published: 2021-11-21 00:00 – Updated: 2024-02-27 18:57Dell EMC SCG 5.00.00.10 and earlier, contain a sensitive information disclosure vulnerability. A local malicious user may exploit this vulnerability to read sensitive information and use it.
{
"affected": [],
"aliases": [
"CVE-2021-36340"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-20T02:15:00Z",
"severity": "MODERATE"
},
"details": "Dell EMC SCG 5.00.00.10 and earlier, contain a sensitive information disclosure vulnerability. A local malicious user may exploit this vulnerability to read sensitive information and use it.",
"id": "GHSA-9q2h-6vm8-8wpj",
"modified": "2024-02-27T18:57:33Z",
"published": "2021-11-21T00:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36340"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000193601/dsa-2021-245-dell-emc-secure-connect-gateway-security-update-for-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9R3C-F6XF-QHFQ
Vulnerability from github – Published: 2025-12-24 21:30 – Updated: 2025-12-24 21:30Fujitsu / Fsas Technologies ETERNUS SF ACM/SC/Express (DX / AF Management Software) before 16.8-16.9.1 PA 2025-12, when collected maintenance data is accessible by a principal/authority other than ETERNUS SF Admin, allows an attacker to potentially affect system confidentiality, integrity, and availability.
{
"affected": [],
"aliases": [
"CVE-2025-68919"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-24T21:16:04Z",
"severity": "MODERATE"
},
"details": "Fujitsu / Fsas Technologies ETERNUS SF ACM/SC/Express (DX / AF Management Software) before 16.8-16.9.1 PA 2025-12, when collected maintenance data is accessible by a principal/authority other than ETERNUS SF Admin, allows an attacker to potentially affect system confidentiality, integrity, and availability.",
"id": "GHSA-9r3c-f6xf-qhfq",
"modified": "2025-12-24T21:30:34Z",
"published": "2025-12-24T21:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68919"
},
{
"type": "WEB",
"url": "https://security.ts.fujitsu.com/ProductSecurity/content/FsasTech-PSIRT-FTI-STR-2025-111413-Security-Notice.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9RCX-R2CJ-MHVQ
Vulnerability from github – Published: 2022-08-11 00:00 – Updated: 2022-08-16 00:00VMware vRealize Operations contains an information disclosure vulnerability. A low-privileged malicious actor with network access can access log files that lead to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2022-31674"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-10T20:15:00Z",
"severity": "MODERATE"
},
"details": "VMware vRealize Operations contains an information disclosure vulnerability. A low-privileged malicious actor with network access can access log files that lead to information disclosure.",
"id": "GHSA-9rcx-r2cj-mhvq",
"modified": "2022-08-16T00:00:24Z",
"published": "2022-08-11T00:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31674"
},
{
"type": "WEB",
"url": "https://www.vmware.com/security/advisories/VMSA-2022-0022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9RWW-66W7-7VJX
Vulnerability from github – Published: 2023-08-11 09:30 – Updated: 2023-08-11 21:58Mattermost fails to sanitize post metadata during audit logging, resulting in permalinks' contents being logged.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.8.7"
},
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server/v6"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.8.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.9.5"
},
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server/v6"
},
"ranges": [
{
"events": [
{
"introduced": "7.9.0"
},
{
"fixed": "7.9.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.10.3"
},
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server/v6"
},
"ranges": [
{
"events": [
{
"introduced": "7.10.0"
},
{
"fixed": "7.10.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-4108"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-11T21:58:15Z",
"nvd_published_at": "2023-08-11T07:15:10Z",
"severity": "MODERATE"
},
"details": "Mattermost fails to sanitize post metadata during audit logging, resulting in permalinks\u0027 contents being logged.\n",
"id": "GHSA-9rww-66w7-7vjx",
"modified": "2023-08-11T21:58:15Z",
"published": "2023-08-11T09:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4108"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost fails to sanitize post metadata"
}
GHSA-9RXJ-QPWG-4HWC
Vulnerability from github – Published: 2022-05-24 17:15 – Updated: 2024-03-21 03:33In the web-panel in IQrouter through 3.3.1, remote attackers can read system logs because of Incorrect Access Control.
{
"affected": [],
"aliases": [
"CVE-2020-11968"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-21T13:15:00Z",
"severity": "MODERATE"
},
"details": "In the web-panel in IQrouter through 3.3.1, remote attackers can read system logs because of Incorrect Access Control.",
"id": "GHSA-9rxj-qpwg-4hwc",
"modified": "2024-03-21T03:33:55Z",
"published": "2022-05-24T17:15:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11968"
},
{
"type": "WEB",
"url": "https://evenroute.com"
},
{
"type": "WEB",
"url": "https://evenroute.zendesk.com/hc/en-us/articles/216107838-How-do-I-configure-an-IQrouter-"
},
{
"type": "WEB",
"url": "https://openwrt.org/docs/guide-quick-start/walkthrough_login"
},
{
"type": "WEB",
"url": "https://pastebin.com/grSCSBSu"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.