Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1744 vulnerabilities reference this CWE, most recent first.

GHSA-JMRX-5G74-6V2F

Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2025-02-28 18:06
VLAI
Summary
Kubernetes client-go library logs may disclose credentials to unauthorized users
Details

The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "k8s.io/client-go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.17.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "k8s.io/kubernetes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.16.0-beta.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-11250"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-08T00:35:06Z",
    "nvd_published_at": "2019-08-29T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.",
  "id": "GHSA-jmrx-5g74-6v2f",
  "modified": "2025-02-28T18:06:30Z",
  "published": "2022-05-24T16:55:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11250"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/issues/81114"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/pull/81330"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/commit/4441f1d9c3e94d9a3d93b4f184a591cab02a5245"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:4052"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:4087"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kubernetes/kubernetes"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2021-0065"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190919-0003"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/10/16/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Kubernetes client-go library logs may disclose credentials to unauthorized users"
}

GHSA-JP24-RG62-2H88

Vulnerability from github – Published: 2024-10-31 03:30 – Updated: 2024-10-31 03:30
VLAI
Details

The Woo Manage Fraud Orders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.1.7 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information about users contained in the exposed log files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10544"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-31T02:15:03Z",
    "severity": "MODERATE"
  },
  "details": "The Woo Manage Fraud Orders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.1.7 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information about users contained in the exposed log files.",
  "id": "GHSA-jp24-rg62-2h88",
  "modified": "2024-10-31T03:30:45Z",
  "published": "2024-10-31T03:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10544"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/woo-manage-fraud-orders/trunk/includes/class-wmfo-debug-log.php#L25"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a62df5f6-64b0-4489-9dde-0d472040ee12?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JP7V-3587-2956

Vulnerability from github – Published: 2023-02-08 21:38 – Updated: 2023-02-08 21:38
VLAI
Summary
Credential disclosure in syft when SYFT_ATTEST_PASSWORD environment variable set
Details

A password disclosure flaw was found in Syft versions v0.69.0 and v0.69.1. This flaw leaks the password stored in the SYFT_ATTEST_PASSWORD environment variable.

Impact

The SYFT_ATTEST_PASSWORD environment variable is for the syft attest command to generate attested SBOMs for the given container image. This environment variable is used to decrypt the private key (provided with syft attest --key <path-to-key-file>) during the signing process while generating an SBOM attestation.

This vulnerability affects users running syft that have the SYFT_ATTEST_PASSWORD environment variable set with credentials (regardless of if the attest command is being used or not). Users that do not have the environment variable SYFT_ATTEST_PASSWORD set are not affected by this issue.

The credentials are leaked in two ways: - in the syft logs when -vv or -vvv are used in the syft command (which is any log level >= DEBUG) - in the attestation or SBOM only when the syft-json format is used

Note that as of v0.69.0 any generated attestations by the syft attest command are uploaded to the OCI registry (if you have write access to that registry) in the same way cosign attach is done. This means that any attestations generated for the affected versions of syft when the SYFT_ATTEST_PASSWORD environment variable was set would leak credentials in the attestation payload uploaded to the OCI registry.

Example commands run from affected versions of syft that show the credential disclosure:

$ SYFT_ATTEST_PASSWORD=123456 syft <container-image-or-directory-input> -o syft-json | grep 123456
# "123456" is in the output

$ SYFT_ATTEST_PASSWORD=123456 syft attest <container-image-input> -o syft-json 
$ cosign download attestation <container-image-input> | jq -r '.payload' | base64 -d | grep 123456
# "123456" is in the output

Patches

The patch has been released in v0.70.0.

Workarounds

There are no workarounds for this vulnerability.

References

Patch pull request: https://github.com/anchore/syft/pull/1538

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/anchore/syft"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.69.0"
            },
            {
              "fixed": "0.70.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-24827"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-08T21:38:46Z",
    "nvd_published_at": "2023-02-07T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A password disclosure flaw was found in Syft versions v0.69.0 and v0.69.1. This flaw leaks the password stored in the SYFT_ATTEST_PASSWORD environment variable.\n\n### Impact\nThe `SYFT_ATTEST_PASSWORD` environment variable is for the `syft attest` command to generate attested SBOMs for the given container image. This environment variable is used to decrypt the private key (provided with `syft attest --key \u003cpath-to-key-file\u003e`)  during the signing process while generating an SBOM attestation. \n\nThis vulnerability affects users running syft that have the `SYFT_ATTEST_PASSWORD` environment variable set with credentials (regardless of if the attest command is being used or not). Users that do not have the environment variable `SYFT_ATTEST_PASSWORD` set are not affected by this issue.\n\nThe credentials are leaked in two ways:\n- in the syft logs when `-vv` or `-vvv` are used in the syft command (which is any log level \u003e= `DEBUG`)\n- in the attestation or SBOM only when the `syft-json` format is used \n\nNote that as of v0.69.0 any generated attestations by the `syft attest` command are uploaded to the OCI registry (if you have write access to that registry) in the same way `cosign attach` is done. This means that any attestations generated for the affected versions of syft when the `SYFT_ATTEST_PASSWORD` environment variable was set would leak credentials in the attestation payload uploaded to the OCI registry.\n\nExample commands run from affected versions of syft that show the credential disclosure:\n```bash\n$ SYFT_ATTEST_PASSWORD=123456 syft \u003ccontainer-image-or-directory-input\u003e -o syft-json | grep 123456\n# \"123456\" is in the output\n\n$ SYFT_ATTEST_PASSWORD=123456 syft attest \u003ccontainer-image-input\u003e -o syft-json \n$ cosign download attestation \u003ccontainer-image-input\u003e | jq -r \u0027.payload\u0027 | base64 -d | grep 123456\n# \"123456\" is in the output\n```\n\n### Patches\n\nThe patch has been released in v0.70.0.\n\n### Workarounds\n\nThere are no workarounds for this vulnerability.\n\n### References\n\nPatch pull request: https://github.com/anchore/syft/pull/1538",
  "id": "GHSA-jp7v-3587-2956",
  "modified": "2023-02-08T21:38:46Z",
  "published": "2023-02-08T21:38:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/anchore/syft/security/advisories/GHSA-jp7v-3587-2956"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24827"
    },
    {
      "type": "WEB",
      "url": "https://github.com/anchore/syft/commit/9995950c70e849f9921919faffbfcf46401f71f3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/anchore/syft"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Credential disclosure in syft when SYFT_ATTEST_PASSWORD environment variable set"
}

GHSA-JPCM-4485-69P7

Vulnerability from github – Published: 2021-03-09 00:38 – Updated: 2021-03-12 17:32
VLAI
Summary
Sensitive information disclosure via log in com.bmuschko:gradle-vagrant-plugin
Details

Impact

The com.bmuschko:gradle-vagrant-plugin Gradle plugin contains an information disclosure vulnerability due to the logging of the system environment variables.

When this Gradle plugin is executed in public CI/CD, this can lead to sensitive credentials being exposed to malicious actors.

Patches

Fixed in version 3.0.0

References

  • https://github.com/bmuschko/gradle-vagrant-plugin/blob/292129f9343d00d391543fae06239e9b0f33db73/src/main/groovy/com/bmuschko/gradle/vagrant/process/GDKExternalProcessExecutor.groovy#L42-L44
  • https://github.com/bmuschko/gradle-vagrant-plugin/issues/19
  • https://github.com/bmuschko/gradle-vagrant-plugin/pull/20

For more information

If you have any questions or comments about this advisory: * Open an issue in bmuschko/gradle-vagrant-plugin

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.bmuschko:gradle-vagrant-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.6"
            },
            {
              "fixed": "3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21361"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-09T00:38:15Z",
    "nvd_published_at": "2021-03-09T01:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe `com.bmuschko:gradle-vagrant-plugin` Gradle plugin contains an information disclosure vulnerability due to the logging of the system environment variables.\n\nWhen this Gradle plugin is executed in public CI/CD, this can lead to sensitive credentials being exposed to malicious actors.\n\n### Patches\nFixed in version 3.0.0\n\n### References\n\n - https://github.com/bmuschko/gradle-vagrant-plugin/blob/292129f9343d00d391543fae06239e9b0f33db73/src/main/groovy/com/bmuschko/gradle/vagrant/process/GDKExternalProcessExecutor.groovy#L42-L44\n - https://github.com/bmuschko/gradle-vagrant-plugin/issues/19\n - https://github.com/bmuschko/gradle-vagrant-plugin/pull/20\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [bmuschko/gradle-vagrant-plugin](https://github.com/bmuschko/gradle-vagrant-plugin)",
  "id": "GHSA-jpcm-4485-69p7",
  "modified": "2021-03-12T17:32:39Z",
  "published": "2021-03-09T00:38:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-jpcm-4485-69p7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21361"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bmuschko/gradle-vagrant-plugin/issues/19"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bmuschko/gradle-vagrant-plugin/pull/20"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bmuschko/gradle-vagrant-plugin/blob/292129f9343d00d391543fae06239e9b0f33db73/src/main/groovy/com/bmuschko/gradle/vagrant/process/GDKExternalProcessExecutor.groovy#L42-L44"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sensitive information disclosure via log in com.bmuschko:gradle-vagrant-plugin"
}

GHSA-JPXC-VMJF-9FCJ

Vulnerability from github – Published: 2024-09-16 14:37 – Updated: 2025-11-04 00:31
VLAI
Summary
Ansible vulnerable to Insertion of Sensitive Information into Log File
Details

A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.17.0b1"
            },
            {
              "fixed": "2.17.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.16.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-8775"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-16T22:49:05Z",
    "nvd_published_at": "2024-09-14T03:15:08Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.",
  "id": "GHSA-jpxc-vmjf-9fcj",
  "modified": "2025-11-04T00:31:25Z",
  "published": "2024-09-16T14:37:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8775"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/8a87e1c5d37422bc99d27ad4237d185cc233e035"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:10762"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:8969"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:9894"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:1249"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-8775"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312119"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-jpxc-vmjf-9fcj"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/blob/v2.16.13/changelogs/CHANGELOG-v2.16.rst#security-fixes"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/blob/v2.17.6/changelogs/CHANGELOG-v2.17.rst#security-fixes"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Ansible vulnerable to Insertion of Sensitive Information into Log File"
}

GHSA-JQ79-7R7X-WCGV

Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08
VLAI
Details

Information disclosure in aspx pages in MV's IDCE application v1.0 allows an attacker to copy and paste aspx pages in the end of the URL application that connect into the database which reveals internal and sensitive information without logging into the web application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-23284"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-20T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Information disclosure in aspx pages in MV\u0027s IDCE application v1.0 allows an attacker to copy and paste aspx pages in the end of the URL application that connect into the database which reveals internal and sensitive information without logging into the web application.",
  "id": "GHSA-jq79-7r7x-wcgv",
  "modified": "2022-05-24T19:08:26Z",
  "published": "2022-05-24T19:08:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23284"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ifmacedo/mconnect/blob/main/sensitiveDataExposure"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-JQH2-CH7P-XWXH

Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2024-12-06 12:30
VLAI
Summary
Quarkus CXF logs passwords and other secrets
Details

A vulnerability was found in Quarkus CXF. Passwords and other secrets may appear in the application log in spite of the user configuring them to be hidden. This issue requires some special configuration to be vulnerable, such as SOAP logging enabled, application set client, and endpoint logging properties, and the attacker must have access to the application log.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.quarkiverse.cxf:quarkus-cxf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.15.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-9621"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-08T22:23:11Z",
    "nvd_published_at": "2024-10-08T17:15:57Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Quarkus CXF. Passwords and other secrets may appear in the  application log in spite of the user configuring them to be hidden. This issue requires some special configuration to be vulnerable, such as SOAP logging enabled, application set client, and endpoint logging properties, and the attacker must have access to the application log.",
  "id": "GHSA-jqh2-ch7p-xwxh",
  "modified": "2024-12-06T12:30:47Z",
  "published": "2024-10-08T18:33:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9621"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quarkiverse/quarkus-cxf/issues/1533"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quarkiverse/quarkus-cxf/commit/8ed72cab8db8e5659e294b05529d2b45557859bd"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:10035"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9621"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2317130"
    },
    {
      "type": "WEB",
      "url": "https://docs.quarkiverse.io/quarkus-cxf/dev/release-notes/3.15.2.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/quarkiverse/quarkus-cxf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Quarkus CXF logs passwords and other secrets"
}

GHSA-JQQ8-Q6F3-QFXH

Vulnerability from github – Published: 2025-03-27 06:32 – Updated: 2025-03-27 06:32
VLAI
Details

HCL DevOps Deploy / HCL Launch stores potentially sensitive authentication token information in log files that could be read by a local user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0273"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-27T05:15:38Z",
    "severity": "MODERATE"
  },
  "details": "HCL DevOps Deploy / HCL Launch stores potentially sensitive authentication token information in log files that could be read by a local user.",
  "id": "GHSA-jqq8-q6f3-qfxh",
  "modified": "2025-03-27T06:32:04Z",
  "published": "2025-03-27T06:32:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0273"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0120138"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JR38-4278-53PJ

Vulnerability from github – Published: 2025-12-16 18:31 – Updated: 2025-12-18 21:31
VLAI
Details

In limited scenarios, sensitive data might be written to the log file if an admin uses Microsoft Teams Admin Center (TAC) to make device configuration changes. The affected log file is visible only to users with admin credentials. This is limited to Microsoft TAC and does not affect configuration changes made using the provisioning server or the device WebUI.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14432"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-16T16:15:57Z",
    "severity": "HIGH"
  },
  "details": "In limited scenarios, sensitive data might be written to the log file if an admin uses Microsoft Teams Admin Center (TAC) to make device configuration changes. The affected log file is visible only to users with admin credentials. This is limited to Microsoft TAC and does not affect configuration changes made using the provisioning server or the device WebUI.",
  "id": "GHSA-jr38-4278-53pj",
  "modified": "2025-12-18T21:31:34Z",
  "published": "2025-12-16T18:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14432"
    },
    {
      "type": "WEB",
      "url": "https://support.hp.com/us-en/document/ish_13612310-13612332-16/hpsbpy04080"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-JRP2-PGJJ-VWPM

Vulnerability from github – Published: 2025-03-12 18:32 – Updated: 2025-03-12 18:32
VLAI
Details

CWE-532: Insertion of Sensitive Information into Log Files vulnerability exists that could cause the disclosure of FTP server credentials when the FTP server is deployed, and the device is placed in debug mode by an administrative user and the debug files are exported from the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-12T16:15:24Z",
    "severity": "MODERATE"
  },
  "details": "CWE-532: Insertion of Sensitive Information into Log Files vulnerability exists that could cause the disclosure\nof FTP server credentials when the FTP server is deployed, and the device is placed in debug mode by an\nadministrative user and the debug files are exported from the device.",
  "id": "GHSA-jrp2-pgjj-vwpm",
  "modified": "2025-03-12T18:32:53Z",
  "published": "2025-03-12T18:32:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2002"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-070-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-070-01.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.