Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1744 vulnerabilities reference this CWE, most recent first.

GHSA-MJJG-JGRJ-9453

Vulnerability from github – Published: 2025-02-11 21:32 – Updated: 2025-02-13 18:32
VLAI
Details

A security issue in Sitevision version 10.3.1 and older allows a remote attacker, in certain (non-default) scenarios, to gain access to the private keys used for signing SAML Authn requests. The underlying issue is a Java keystore that may become accessible and downloadable via WebDAV. This keystore is protected with a low-complexity, auto-generated password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-11T19:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A security issue in Sitevision version 10.3.1 and older allows a remote attacker, in certain (non-default) scenarios, to gain access to the private keys used for signing SAML Authn requests. The underlying issue is a Java keystore that may become accessible and downloadable via WebDAV. This keystore is protected with a low-complexity, auto-generated password.",
  "id": "GHSA-mjjg-jgrj-9453",
  "modified": "2025-02-13T18:32:31Z",
  "published": "2025-02-11T21:32:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35202"
    },
    {
      "type": "WEB",
      "url": "https://developer.sitevision.se/archives/release-notes/release-notes/2022-05-06-release-notes-sitevision-10.3"
    },
    {
      "type": "WEB",
      "url": "https://www.shelltrail.com/research/how-auto-generated-passwords-in-sitevision-leads-to-signing-key-leakage-cve-2022-35202"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJR4-9RV8-9G3F

Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34
VLAI
Details

Envoy Passport for Android and Envoy Passport for iPhone could allow a local attacker to obtain sensitive information, caused by the storing of unencrypted data in logs. An attacker could exploit this vulnerability to obtain two API keys, a token and other sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-17499"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-21T16:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Envoy Passport for Android and Envoy Passport for iPhone could allow a local attacker to obtain sensitive information, caused by the storing of unencrypted data in logs. An attacker could exploit this vulnerability to obtain two API keys, a token and other sensitive information.",
  "id": "GHSA-mjr4-9rv8-9g3f",
  "modified": "2022-05-13T01:34:02Z",
  "published": "2022-05-13T01:34:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17499"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/149659"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJV9-VP6W-3RC9

Vulnerability from github – Published: 2023-04-26 16:01 – Updated: 2026-04-06 17:17
VLAI
Summary
AWS SDK for Rust will log AWS credentials when TRACE-level logging is enabled for request sending
Details

The aws_sigv4::SigningParams struct had a derived Debug implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is enabled for an SDK, SigningParams is printed, thereby revealing those credentials to anyone with access to logs.

Impact

All users of the AWS SDK for Rust who enabled TRACE-level logging, either globally (e.g. RUST_LOG=trace), or for the aws-sigv4 crate specifically.

Patches

  • Versions >= 0.55.1
  • 0.54.2
  • 0.53.2
  • 0.52.1
  • 0.51.1
  • 0.50.1
  • 0.49.1
  • 0.48.1
  • 0.47.1
  • 0.46.1
  • 0.15.1
  • 0.14.1
  • 0.13.1
  • 0.12.1
  • 0.11.1
  • 0.10.2
  • 0.9.1
  • 0.8.1
  • 0.7.1
  • 0.6.1
  • 0.5.3
  • 0.3.1
  • 0.2.1

Workarounds

Disable TRACE-level logging for AWS Rust SDK crates.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.55.0"
            },
            {
              "fixed": "0.55.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.55.0"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.54.1"
            },
            {
              "fixed": "0.54.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.54.1"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.53.1"
            },
            {
              "fixed": "0.53.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.53.1"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.52.0"
            },
            {
              "fixed": "0.52.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.52.0"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.51.0"
            },
            {
              "fixed": "0.51.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.51.0"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.49.0"
            },
            {
              "fixed": "0.49.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.49.0"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.48.0"
            },
            {
              "fixed": "0.48.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.48.0"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.47.0"
            },
            {
              "fixed": "0.47.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.47.0"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.46.0"
            },
            {
              "fixed": "0.46.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.46.0"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.15.0"
            },
            {
              "fixed": "0.15.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.15.0"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.14.0"
            },
            {
              "fixed": "0.14.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.14.0"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.13.0"
            },
            {
              "fixed": "0.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.13.0"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.12.0"
            },
            {
              "fixed": "0.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.12.0"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.11.0"
            },
            {
              "fixed": "0.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.11.0"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.10.1"
            },
            {
              "fixed": "0.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.10.1"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.9.0"
            },
            {
              "fixed": "0.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.9.0"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.0"
            },
            {
              "fixed": "0.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.8.0"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.7.0"
            },
            {
              "fixed": "0.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.7.0"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.6.0"
            },
            {
              "fixed": "0.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.6.0"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.2"
            },
            {
              "fixed": "0.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.5.2"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.4.1"
            },
            {
              "fixed": "0.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.4.1"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.3.0"
            },
            {
              "fixed": "0.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.3.0"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-sigv4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.2.0"
            },
            {
              "fixed": "0.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.2.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-30610"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-26T16:01:10Z",
    "nvd_published_at": "2023-04-19T18:15:07Z",
    "severity": "MODERATE"
  },
  "details": "The `aws_sigv4::SigningParams` struct had a derived `Debug` implementation. When debug-formatted, it would include a user\u0027s AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is enabled for an SDK, `SigningParams` is printed, thereby revealing those credentials to anyone with access to logs.\n\n### Impact\nAll users of the AWS SDK for Rust who enabled TRACE-level logging, either globally (e.g. `RUST_LOG=trace`), or for the `aws-sigv4` crate specifically.\n\n### Patches\n- Versions \u003e= `0.55.1`\n- `0.54.2`\n- `0.53.2`\n- `0.52.1`\n- `0.51.1`\n- `0.50.1`\n- `0.49.1`\n- `0.48.1`\n- `0.47.1`\n- `0.46.1`\n- `0.15.1`\n- `0.14.1`\n- `0.13.1`\n- `0.12.1`\n- `0.11.1`\n- `0.10.2`\n- `0.9.1`\n- `0.8.1`\n- `0.7.1`\n- `0.6.1`\n- `0.5.3`\n- `0.3.1`\n- `0.2.1`\n\n### Workarounds\nDisable TRACE-level logging for AWS Rust SDK crates.",
  "id": "GHSA-mjv9-vp6w-3rc9",
  "modified": "2026-04-06T17:17:04Z",
  "published": "2023-04-26T16:01:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/awslabs/aws-sdk-rust/security/advisories/GHSA-mjv9-vp6w-3rc9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30610"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/awslabs/aws-sdk-rust"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2023-0125.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AWS SDK for Rust will log AWS credentials when TRACE-level logging is enabled for request sending"
}

GHSA-MMC8-8J7M-RCWJ

Vulnerability from github – Published: 2025-09-12 18:31 – Updated: 2025-09-12 18:31
VLAI
Details

A problem with the Palo Alto Networks Cortex XDR Microsoft 365 Defender Pack can result in exposure of user credentials in application logs. Normally, these application logs are only viewable by local users and are included when generating logs for troubleshooting purposes. This means that these credentials are exposed to recipients of the application logs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-12T18:15:34Z",
    "severity": "LOW"
  },
  "details": "A problem with the Palo Alto Networks Cortex XDR Microsoft 365 Defender Pack can result in exposure of user credentials in application logs. Normally, these application logs are only viewable by local users and are included when generating logs for troubleshooting purposes. This means that these credentials are exposed to recipients of the application logs.",
  "id": "GHSA-mmc8-8j7m-rcwj",
  "modified": "2025-09-12T18:31:10Z",
  "published": "2025-09-12T18:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4234"
    },
    {
      "type": "WEB",
      "url": "https://security.paloaltonetworks.com/CVE-2025-4234"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MMW4-F58V-GJ6M

Vulnerability from github – Published: 2025-01-14 18:32 – Updated: 2025-01-14 18:32
VLAI
Details

Windows Kernel Memory Information Disclosure Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21319"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-14T18:15:56Z",
    "severity": "MODERATE"
  },
  "details": "Windows Kernel Memory Information Disclosure Vulnerability",
  "id": "GHSA-mmw4-f58v-gj6m",
  "modified": "2025-01-14T18:32:04Z",
  "published": "2025-01-14T18:32:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21319"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21319"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MP65-CJ4X-X9FQ

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04
VLAI
Details

Dell EMC NetWorker, 18.x, 19.1.x, 19.2.x 19.3.x, 19.4 and 19.4.0.1, contains an Information Disclosure vulnerability. A local administrator of the gstd system may potentially exploit this vulnerability to read LDAP credentials from local logs and use the stolen credentials to make changes to the network domain.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21558"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-08T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Dell EMC NetWorker, 18.x, 19.1.x, 19.2.x 19.3.x, 19.4 and 19.4.0.1, contains an Information Disclosure vulnerability. A local administrator of the gstd system may potentially exploit this vulnerability to read LDAP credentials from local logs and use the stolen credentials to make changes to the network domain.",
  "id": "GHSA-mp65-cj4x-x9fq",
  "modified": "2022-05-24T19:04:19Z",
  "published": "2022-05-24T19:04:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21558"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000186638/dsa-2021-104-dell-emc-networker-security-update-for-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MPF9-68P5-X53H

Vulnerability from github – Published: 2026-03-25 03:31 – Updated: 2026-03-25 21:30
VLAI
Details

A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4, watchOS 26.4. An app may be able to disclose kernel memory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-28868"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T01:17:10Z",
    "severity": "MODERATE"
  },
  "details": "A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4, watchOS 26.4. An app may be able to disclose kernel memory.",
  "id": "GHSA-mpf9-68p5-x53h",
  "modified": "2026-03-25T21:30:31Z",
  "published": "2026-03-25T03:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28868"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126792"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126793"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126794"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126795"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126796"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126798"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126799"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MPR2-984F-35C4

Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28
VLAI
Details

An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where configuration secrets for the “http”, “email”, and “snmptrap” v3 log forwarding server profiles can be logged to the logrcvr.log system log. Logged information may include up to 1024 bytes of the configuration including the username and password in an encrypted form and private keys used in any certificate profiles set for log forwarding server profiles. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.18; PAN-OS 9.0 versions earlier than PAN-OS 9.0.12; PAN-OS 9.1 versions earlier than PAN-OS 9.1.4; PAN-OS 10.0 versions earlier than PAN-OS 10.0.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3032"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-13T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where configuration secrets for the \u201chttp\u201d, \u201cemail\u201d, and \u201csnmptrap\u201d v3 log forwarding server profiles can be logged to the logrcvr.log system log. Logged information may include up to 1024 bytes of the configuration including the username and password in an encrypted form and private keys used in any certificate profiles set for log forwarding server profiles. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.18; PAN-OS 9.0 versions earlier than PAN-OS 9.0.12; PAN-OS 9.1 versions earlier than PAN-OS 9.1.4; PAN-OS 10.0 versions earlier than PAN-OS 10.0.1.",
  "id": "GHSA-mpr2-984f-35c4",
  "modified": "2022-05-24T22:28:48Z",
  "published": "2022-05-24T22:28:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3032"
    },
    {
      "type": "WEB",
      "url": "https://security.paloaltonetworks.com/CVE-2021-3032"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MPX4-JMPR-VM8V

Vulnerability from github – Published: 2026-06-18 15:05 – Updated: 2026-06-18 15:05
VLAI
Summary
PGHoard: Password written to debug log
Details

Impact

When using .pgpass, database connection information including the username and password will be logged at the debug level.

Patches

Upgrade to version 2.7.1 or greater.

Workarounds

Filter out debug-level logs.

References

This issue was discovered by BugCrowd user DRAKOKORIAN.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pghoard"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54711"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T15:05:20Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\nWhen using .pgpass, database connection information including the username and password will be logged at the debug level.\n\n### Patches\nUpgrade to version 2.7.1 or greater.\n\n### Workarounds\nFilter out debug-level logs.\n\n### References\nThis issue was discovered by BugCrowd user DRAKOKORIAN.",
  "id": "GHSA-mpx4-jmpr-vm8v",
  "modified": "2026-06-18T15:05:20Z",
  "published": "2026-06-18T15:05:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Aiven-Open/pghoard/security/advisories/GHSA-mpx4-jmpr-vm8v"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Aiven-Open/pghoard"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PGHoard: Password written to debug log"
}

GHSA-MQMF-5457-4F39

Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15
VLAI
Details

Tor Browser through 10.5.6 and 11.x through 11.0a4 allows a correlation attack that can compromise the privacy of visits to v2 onion addresses. If --log or --verbose is used, exact timestamps of these onion-service visits are logged locally, and an attacker might be able to compare them to timestamp data collected by the destination server (or collected by a rogue site within the Tor network).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39246"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-24T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Tor Browser through 10.5.6 and 11.x through 11.0a4 allows a correlation attack that can compromise the privacy of visits to v2 onion addresses. If --log or --verbose is used, exact timestamps of these onion-service visits are logged locally, and an attacker might be able to compare them to timestamp data collected by the destination server (or collected by a rogue site within the Tor network).",
  "id": "GHSA-mqmf-5457-4f39",
  "modified": "2022-05-24T19:15:41Z",
  "published": "2022-05-24T19:15:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39246"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-111.md"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.torproject.org/tpo/core/tor/-/commit/80c404c4b79f3bcba3fc4585d4c62a62a04f3ed9"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/434"
    },
    {
      "type": "WEB",
      "url": "https://sick.codes/sick-2021-111"
    },
    {
      "type": "WEB",
      "url": "https://www.privacyaffairs.com/cve-2021-39246-tor-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.