Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1742 vulnerabilities reference this CWE, most recent first.

CVE-2025-55285 (GCVE-0-2025-55285)

Vulnerability from cvelistv5 – Published: 2025-08-15 17:10 – Updated: 2025-08-15 17:49
VLAI
Title
@backstage/plugin-scaffolder-backend Template Secret Leakage in Logs in Scaffolder When Using `fetch:template`
Summary
@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If ${{ secrets.x }} is not passed through to fetch:template there is no impact. This issue has been resolved in 2.1.1 of the scaffolder-backend plugin. A workaround for this issue involves Template Authors removing the use of ${{ secrets }} being used as an argument to fetch:template.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
Impacted products
Vendor Product Version
backstage backstage Affected: < 2.1.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-55285",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-15T17:49:07.268161Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-15T17:49:24.677Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "backstage",
          "vendor": "backstage",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.1.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If ${{ secrets.x }} is not passed through to fetch:template there is no impact. This issue has been resolved in 2.1.1 of the scaffolder-backend plugin. A workaround for this issue involves Template Authors removing the use of ${{ secrets }} being used as an argument to fetch:template."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-15T17:10:26.735Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/backstage/backstage/security/advisories/GHSA-3x3q-ghcp-whf7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/backstage/backstage/security/advisories/GHSA-3x3q-ghcp-whf7"
        },
        {
          "name": "https://github.com/backstage/backstage/commit/c371f6fe12371de31dca537510e6653e287cdc2e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/backstage/backstage/commit/c371f6fe12371de31dca537510e6653e287cdc2e"
        }
      ],
      "source": {
        "advisory": "GHSA-3x3q-ghcp-whf7",
        "discovery": "UNKNOWN"
      },
      "title": "@backstage/plugin-scaffolder-backend Template Secret Leakage in Logs in Scaffolder When Using `fetch:template`"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-55285",
    "datePublished": "2025-08-15T17:10:26.735Z",
    "dateReserved": "2025-08-12T16:15:30.236Z",
    "dateUpdated": "2025-08-15T17:49:24.677Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-54781 (GCVE-0-2025-54781)

Vulnerability from cvelistv5 – Published: 2025-08-01 23:35 – Updated: 2025-08-04 15:26
VLAI
Title
Himmelblau leaks an Intune service access token in its logs
Summary
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. When debugging is enabled for Himmelblau in version 1.0.0, the himmelblaud_tasks service leaks an Intune service access token to the system journal. This short-lived token can be used to detect the host's Intune compliance status, and may permit additional administrative operations for the Intune host device (though the API for these operations is undocumented). This is fixed in version 1.1.0. To workaround this issue, ensure that Himmelblau debugging is disabled.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
Impacted products
Vendor Product Version
himmelblau-idm himmelblau Affected: >= 1.0.0, < 1.1.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54781",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-04T15:25:54.698379Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-04T15:26:00.494Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "himmelblau",
          "vendor": "himmelblau-idm",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. When debugging is enabled for Himmelblau in version 1.0.0, the himmelblaud_tasks service leaks an Intune service access token to the system journal. This short-lived token can be used to detect the host\u0027s Intune compliance status, and may permit additional administrative operations for the Intune host device (though the API for these operations is undocumented). This is fixed in version 1.1.0. To workaround this issue, ensure that Himmelblau debugging is disabled."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 2.8,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-01T23:35:23.713Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-78qg-vmrw-574w",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-78qg-vmrw-574w"
        },
        {
          "name": "https://github.com/himmelblau-idm/himmelblau/commit/2d512bded90ac6a54fcdf737b43ff5d9d4cdb59e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/himmelblau-idm/himmelblau/commit/2d512bded90ac6a54fcdf737b43ff5d9d4cdb59e"
        },
        {
          "name": "https://github.com/himmelblau-idm/himmelblau/releases/tag/1.1.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/himmelblau-idm/himmelblau/releases/tag/1.1.0"
        }
      ],
      "source": {
        "advisory": "GHSA-78qg-vmrw-574w",
        "discovery": "UNKNOWN"
      },
      "title": "Himmelblau leaks an Intune service access token in its logs"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-54781",
    "datePublished": "2025-08-01T23:35:23.713Z",
    "dateReserved": "2025-07-29T16:50:28.391Z",
    "dateUpdated": "2025-08-04T15:26:00.494Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-54319 (GCVE-0-2025-54319)

Vulnerability from cvelistv5 – Published: 2025-07-20 00:00 – Updated: 2025-07-22 14:21
VLAI
Summary
An issue was discovered in Westermo WeOS 5 (5.24 through 5.24.4). A threat actor potentially can gain unauthorized access to sensitive information via system logging information (syslog verbose logging that includes credentials).
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
Impacted products
Vendor Product Version
Westermo WeOS Affected: 5.24.0 , ≤ 5.24.4 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54319",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-22T14:20:58.255406Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-22T14:21:05.539Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "WeOS",
          "vendor": "Westermo",
          "versions": [
            {
              "lessThanOrEqual": "5.24.4",
              "status": "affected",
              "version": "5.24.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Westermo WeOS 5 (5.24 through 5.24.4). A threat actor potentially can gain unauthorized access to sensitive information via system logging information (syslog verbose logging that includes credentials)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532 Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-20T20:46:59.300Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://www.westermo.com/-/media/Files/Cyber-security/westermo_sa_25-08_sensitive_information_in_logging.pdf?rev=40c4e78bd1524f639a89cd1b005e0f23\u0026hash=64987A18FFECA633F23DB11FE5EAFA9A"
        },
        {
          "url": "https://www.westermo.com/uk/support/security-advisories"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-54319",
    "datePublished": "2025-07-20T00:00:00.000Z",
    "dateReserved": "2025-07-20T00:00:00.000Z",
    "dateUpdated": "2025-07-22T14:21:05.539Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-54120 (GCVE-0-2025-54120)

Vulnerability from cvelistv5 – Published: 2025-07-23 00:11 – Updated: 2025-07-23 15:14
VLAI
Title
PCL Community Edition exposes login credentials in logs
Summary
PCL (Plain Craft Launcher) Community Edition is a Minecraft launcher. In PCL CE versions 2.12.0-beta.5 to 2.12.0-beta.9, the login credentials used during the third-party login process are accidentally recorded in the local log file. Although the log file is not automatically uploaded or shared, if the user manually sends the log file, there is a risk of leakage. This is fixed in version 2.12.0-beta.10.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
Impacted products
Vendor Product Version
PCL-Community PCL2-CE Affected: >= 2.12.0-beta.5, < 2.12.0-beta.10
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54120",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-23T14:31:07.624390Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-23T15:14:46.562Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PCL2-CE",
          "vendor": "PCL-Community",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.12.0-beta.5, \u003c 2.12.0-beta.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "PCL (Plain Craft Launcher) Community Edition is a Minecraft launcher. In PCL CE versions 2.12.0-beta.5 to 2.12.0-beta.9, the login credentials used during the third-party login process are accidentally recorded in the local log file. Although the log file is not automatically uploaded or shared, if the user manually sends the log file, there is a risk of leakage. This is fixed in version 2.12.0-beta.10."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-23T00:11:58.870Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/PCL-Community/PCL2-CE/security/advisories/GHSA-f3rx-h3cv-696g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/PCL-Community/PCL2-CE/security/advisories/GHSA-f3rx-h3cv-696g"
        },
        {
          "name": "https://github.com/PCL-Community/PCL2-CE/commit/b72eaaef05c131958b0f03bd5e7c2464bbc2af4f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/PCL-Community/PCL2-CE/commit/b72eaaef05c131958b0f03bd5e7c2464bbc2af4f"
        }
      ],
      "source": {
        "advisory": "GHSA-f3rx-h3cv-696g",
        "discovery": "UNKNOWN"
      },
      "title": "PCL Community Edition exposes login credentials in logs"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-54120",
    "datePublished": "2025-07-23T00:11:58.870Z",
    "dateReserved": "2025-07-16T23:53:40.508Z",
    "dateUpdated": "2025-07-23T15:14:46.562Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-54064 (GCVE-0-2025-54064)

Vulnerability from cvelistv5 – Published: 2025-07-17 14:40 – Updated: 2025-07-17 20:01
VLAI
Title
rucio-server, rucio-ui, and rucio-webui vulnerable to insertion of X-Rucio-Auth-Token in apache access logfiles
Summary
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. The common Rucio helm-charts for the `rucio-server`, `rucio-ui`, and `rucio-webui` define the log format for the apache access log of these components. The `X-Rucio-Auth-Token`, which is part of each request header sent to Rucio, is part of this log format. Thus, each access log line potentially exposes the credentials (Internal Rucio token, or JWT in case of OIDC authentication) of the user. Due to the length of the token (Especially for a JWT) the tokens are often truncated, and thus not usable as credential; nevertheless, the (partial) credential should not be part of the logfile. The impact of this issue is amplified if the access logs are made available to a larger group of people than the instance administrators themselves. An updated release has been supplied for the `rucio-server`, `rucio-ui` and `rucio-webui` helm-chart. The change was also retrofitted for the currently supported Rucio LTS releases. The patched versions are rucio-server 37.0.2, 35.0.1, and 32.0.1; rucio-ui 37.0.4, 35.0.1, and 32.0.2; and rucio-webui 37.0.2, 35.1.1, and 32.0.1. As a workaround, one may update the `logFormat` variable and remove the `X-Rucio-Auth-Token`.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
Impacted products
Vendor Product Version
rucio helm-charts Affected: rucio-server < 32.0.1
Affected: rucio-server >= 33.0.0, < 35.0.1
Affected: rucio-server >= 36.0.0, < 37.0.2
Affected: rucio-ui < 32.0.2
Affected: rucio-ui >= 33.0.0, < 35.1.1
Affected: rucio-ui >= 36.0.0, < 37.0.4
Affected: rucio-webui < 32.0.1
Affected: rucio-webui >= 33.0.0, < 35.1.1
Affected: rucio-webui >= 36.0.0, < 37.0.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54064",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-17T20:01:37.791373Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-17T20:01:54.062Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "helm-charts",
          "vendor": "rucio",
          "versions": [
            {
              "status": "affected",
              "version": "rucio-server \u003c 32.0.1"
            },
            {
              "status": "affected",
              "version": "rucio-server \u003e= 33.0.0, \u003c 35.0.1"
            },
            {
              "status": "affected",
              "version": "rucio-server \u003e= 36.0.0, \u003c 37.0.2"
            },
            {
              "status": "affected",
              "version": "rucio-ui \u003c 32.0.2"
            },
            {
              "status": "affected",
              "version": "rucio-ui \u003e= 33.0.0, \u003c 35.1.1"
            },
            {
              "status": "affected",
              "version": "rucio-ui \u003e= 36.0.0, \u003c 37.0.4"
            },
            {
              "status": "affected",
              "version": "rucio-webui \u003c 32.0.1"
            },
            {
              "status": "affected",
              "version": "rucio-webui \u003e= 33.0.0, \u003c 35.1.1"
            },
            {
              "status": "affected",
              "version": "rucio-webui \u003e= 36.0.0, \u003c 37.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. The common Rucio helm-charts for the `rucio-server`, `rucio-ui`, and `rucio-webui` define the log format for the apache access log of these components. The `X-Rucio-Auth-Token`, which is part of each request header sent to Rucio, is part of this log format. Thus, each access log line potentially exposes the credentials (Internal Rucio token, or JWT in case of OIDC authentication) of the user. Due to the length of the token (Especially for a JWT) the tokens are often truncated, and thus not usable as credential; nevertheless, the (partial) credential should not be part of the logfile. The impact of this issue is amplified if the access logs are made available to a larger group of people than the instance administrators themselves. An updated release has been supplied for the `rucio-server`, `rucio-ui` and `rucio-webui` helm-chart. The change was also retrofitted for the currently supported Rucio LTS releases. The patched versions are rucio-server 37.0.2, 35.0.1, and 32.0.1; rucio-ui 37.0.4, 35.0.1, and 32.0.2; and rucio-webui 37.0.2, 35.1.1, and 32.0.1. As a workaround, one may update the `logFormat` variable and remove the `X-Rucio-Auth-Token`."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-17T14:40:59.619Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rucio/helm-charts/security/advisories/GHSA-cmfq-f2v2-vj33",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rucio/helm-charts/security/advisories/GHSA-cmfq-f2v2-vj33"
        }
      ],
      "source": {
        "advisory": "GHSA-cmfq-f2v2-vj33",
        "discovery": "UNKNOWN"
      },
      "title": "rucio-server, rucio-ui, and rucio-webui vulnerable to insertion of X-Rucio-Auth-Token in apache access logfiles"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-54064",
    "datePublished": "2025-07-17T14:40:59.619Z",
    "dateReserved": "2025-07-16T13:22:18.204Z",
    "dateUpdated": "2025-07-17T20:01:54.062Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-53886 (GCVE-0-2025-53886)

Vulnerability from cvelistv5 – Published: 2025-07-14 23:35 – Updated: 2025-07-15 13:41
VLAI
Title
Directus doesn't redact tokens in Flow logs
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow. Version 11.9.0 fixes the issue.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
Impacted products
Vendor Product Version
directus directus Affected: >= 9.0.0, < 11.9.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53886",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-15T13:41:05.387368Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-15T13:41:18.865Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "directus",
          "vendor": "directus",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 9.0.0, \u003c 11.9.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow. Version 11.9.0 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-212",
              "description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-14T23:35:56.448Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/directus/directus/security/advisories/GHSA-f24x-rm6g-3w5v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/directus/directus/security/advisories/GHSA-f24x-rm6g-3w5v"
        },
        {
          "name": "https://github.com/directus/directus/pull/25354",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/directus/directus/pull/25354"
        },
        {
          "name": "https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb"
        },
        {
          "name": "https://github.com/directus/directus/releases/tag/v11.9.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/directus/directus/releases/tag/v11.9.0"
        }
      ],
      "source": {
        "advisory": "GHSA-f24x-rm6g-3w5v",
        "discovery": "UNKNOWN"
      },
      "title": "Directus doesn\u0027t redact tokens in Flow logs"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-53886",
    "datePublished": "2025-07-14T23:35:56.448Z",
    "dateReserved": "2025-07-11T19:05:23.824Z",
    "dateUpdated": "2025-07-15T13:41:18.865Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-53885 (GCVE-0-2025-53885)

Vulnerability from cvelistv5 – Published: 2025-07-14 23:18 – Updated: 2025-07-15 13:43
VLAI
Title
Directus doesn't redact sensitive user data when logging via event hooks
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template string. Malicious admins can log sensitive data from other users when they are created or updated. Version 11.9.0 contains a fix for the issue. As a workaround, avoid logging sensitive data to the console outside the context of development.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
Impacted products
Vendor Product Version
directus directus Affected: >= 9.0.0, < 11.9.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53885",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-15T13:43:27.488182Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-15T13:43:35.843Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "directus",
          "vendor": "directus",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 9.0.0, \u003c 11.9.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the \"Log to Console\" operation and a template string. Malicious admins can log sensitive data from other users when they are created or updated. Version 11.9.0 contains a fix for the issue. As a workaround, avoid logging sensitive data to the console outside the context of development."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-14T23:18:57.503Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/directus/directus/security/advisories/GHSA-x3vm-88hf-gpxp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/directus/directus/security/advisories/GHSA-x3vm-88hf-gpxp"
        },
        {
          "name": "https://github.com/directus/directus/pull/25355",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/directus/directus/pull/25355"
        },
        {
          "name": "https://github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff580e5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff580e5"
        },
        {
          "name": "https://github.com/directus/directus/releases/tag/v11.9.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/directus/directus/releases/tag/v11.9.0"
        }
      ],
      "source": {
        "advisory": "GHSA-x3vm-88hf-gpxp",
        "discovery": "UNKNOWN"
      },
      "title": "Directus doesn\u0027t redact sensitive user data when logging via event hooks"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-53885",
    "datePublished": "2025-07-14T23:18:57.503Z",
    "dateReserved": "2025-07-11T19:05:23.824Z",
    "dateUpdated": "2025-07-15T13:43:35.843Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-53649 (GCVE-0-2025-53649)

Vulnerability from cvelistv5 – Published: 2025-07-29 04:41 – Updated: 2025-07-29 13:58
VLAI
Summary
"SwitchBot" App for iOS/Android contains an insertion of sensitive information into log file vulnerability in versions V6.24 through V9.12. If this vulnerability is exploited, sensitive user information may be exposed to an attacker who has access to the application logs.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of sensitive information into log file
Assigner
Impacted products
Vendor Product Version
SwitchBot SwitchBot App for iOS/Android Affected: V6.24 through V9.12
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53649",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-29T13:58:04.561921Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-29T13:58:10.661Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SwitchBot App for iOS/Android",
          "vendor": "SwitchBot",
          "versions": [
            {
              "status": "affected",
              "version": "V6.24 through V9.12"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "\"SwitchBot\" App for iOS/Android contains an insertion of sensitive information into log file vulnerability in versions V6.24 through V9.12. If this vulnerability is exploited, sensitive user information may be exposed to an attacker who has access to the application logs."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "Insertion of sensitive information into log file",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-29T04:41:35.880Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://www.switchbot.jp/pages/switchbot-app-vulnerability-fix202507"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN59585716/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2025-53649",
    "datePublished": "2025-07-29T04:41:35.880Z",
    "dateReserved": "2025-07-08T06:34:47.546Z",
    "dateUpdated": "2025-07-29T13:58:10.661Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-52893 (GCVE-0-2025-52893)

Vulnerability from cvelistv5 – Published: 2025-06-25 16:54 – Updated: 2025-06-25 20:39
VLAI
Title
OpenBao May Leak Sensitive Information in Logs When Processing Malformed Data
Summary
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. This issue has been fixed in OpenBao v2.3.0 and later. Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
Impacted products
Vendor Product Version
openbao openbao Affected: < 2.3.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-52893",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-25T20:35:02.788748Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-25T20:39:04.734Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openbao",
          "vendor": "openbao",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.3.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. This issue has been fixed in OpenBao v2.3.0 and later. Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-25T16:54:50.262Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/openbao/openbao/security/advisories/GHSA-8f5r-8cmq-7fmq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/openbao/openbao/security/advisories/GHSA-8f5r-8cmq-7fmq"
        },
        {
          "name": "https://github.com/go-viper/mapstructure/pull/105",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-viper/mapstructure/pull/105"
        },
        {
          "name": "https://github.com/go-viper/mapstructure/commit/ed3f92181528ff776a0324107b8b55026e93766a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-viper/mapstructure/commit/ed3f92181528ff776a0324107b8b55026e93766a"
        },
        {
          "name": "https://github.com/openbao/openbao/commit/cf5e920badbf96b41253534a3fd5ff5063bf4b30",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/openbao/openbao/commit/cf5e920badbf96b41253534a3fd5ff5063bf4b30"
        },
        {
          "name": "https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717"
        },
        {
          "name": "https://github.com/go-viper/mapstructure/releases/tag/v2.3.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-viper/mapstructure/releases/tag/v2.3.0"
        }
      ],
      "source": {
        "advisory": "GHSA-8f5r-8cmq-7fmq",
        "discovery": "UNKNOWN"
      },
      "title": "OpenBao May Leak Sensitive Information in Logs When Processing Malformed Data"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-52893",
    "datePublished": "2025-06-25T16:54:50.262Z",
    "dateReserved": "2025-06-20T17:42:25.709Z",
    "dateUpdated": "2025-06-25T20:39:04.734Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-52580 (GCVE-0-2025-52580)

Vulnerability from cvelistv5 – Published: 2025-07-22 04:49 – Updated: 2025-07-22 15:36
VLAI
Summary
Insertion of sensitive information into log file issue exists in "region PAY" App for Android prior to 1.5.28. If exploited, sensitive user information may be exposed to an attacker who has access to the application logs.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of sensitive information into log file
Assigner
References
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-52580",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-22T15:19:47.477187Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-22T15:36:00.332Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "\"region PAY\" App for Android",
          "vendor": "Gift Pad Co.,Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "prior to 1.5.28"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Insertion of sensitive information into log file issue exists in \"region PAY\" App for Android prior to 1.5.28. If exploited, sensitive user information may be exposed to an attacker who has access to the application logs."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 2.4,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "baseScore": 2.4,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "Insertion of sensitive information into log file",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-22T04:49:33.459Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://jvn.jp/en/jp/JVN07825095/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2025-52580",
    "datePublished": "2025-07-22T04:49:33.459Z",
    "dateReserved": "2025-07-15T01:02:40.018Z",
    "dateUpdated": "2025-07-22T15:36:00.332Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.