Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1744 vulnerabilities reference this CWE, most recent first.

GHSA-Q5J5-G96W-H2X7

Vulnerability from github – Published: 2024-10-24 18:30 – Updated: 2024-10-29 15:31
VLAI
Details

A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.6.8, macOS Monterey 12.7.6, iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. A sandboxed app may be able to access sensitive user data in system logs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-44205"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-24T17:15:16Z",
    "severity": "MODERATE"
  },
  "details": "A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.6.8, macOS Monterey 12.7.6, iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. A sandboxed app may be able to access sensitive user data in system logs.",
  "id": "GHSA-q5j5-g96w-h2x7",
  "modified": "2024-10-29T15:31:59Z",
  "published": "2024-10-24T18:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44205"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120908"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120909"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120910"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120911"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120912"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q5QJ-42FQ-523R

Vulnerability from github – Published: 2022-05-14 03:31 – Updated: 2022-05-14 03:31
VLAI
Details

Ionic Team Cordova plugin iOS Keychain version before commit 18233ca25dfa92cca018b9c0935f43f78fd77fbf contains an Information Exposure Through Log Files (CWE-532) vulnerability in CDVKeychain.m that can result in login, password and other sensitive data leakage. This attack appear to be exploitable via Attacker must have access to victim's iOS logs. This vulnerability appears to have been fixed in after commit 18233ca25dfa92cca018b9c0935f43f78fd77fbf.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000123"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-13T21:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Ionic Team Cordova plugin iOS Keychain version before commit 18233ca25dfa92cca018b9c0935f43f78fd77fbf contains an Information Exposure Through Log Files (CWE-532) vulnerability in CDVKeychain.m that can result in login, password and other sensitive data leakage. This attack appear to be exploitable via Attacker must have access to victim\u0027s iOS logs. This vulnerability appears to have been fixed in after commit 18233ca25dfa92cca018b9c0935f43f78fd77fbf.",
  "id": "GHSA-q5qj-42fq-523r",
  "modified": "2022-05-14T03:31:32Z",
  "published": "2022-05-14T03:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000123"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ionic-team/cordova-plugin-ios-keychain/pull/29/commits/980230645c8ea3b531b85401de5e4bca0f860e42#diff-936020291e4c2115faff0171f20672a4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q636-FX55-GFR2

Vulnerability from github – Published: 2024-08-19 06:30 – Updated: 2024-08-19 18:32
VLAI
Details

AI Engine < 2.4.3 is susceptible to remote-code-execution (RCE) via Log Poisoning. The AI Engine WordPress plugin before 2.5.1 fails to validate the file extension of "logs_path", allowing Administrators to change log filetypes from .log to .php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6451"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-19T06:15:05Z",
    "severity": "HIGH"
  },
  "details": "AI Engine \u003c 2.4.3 is susceptible to remote-code-execution (RCE) via Log Poisoning. The AI Engine WordPress plugin before 2.5.1 fails to validate the file extension of \"logs_path\", allowing Administrators to change log filetypes from .log to .php.",
  "id": "GHSA-q636-fx55-gfr2",
  "modified": "2024-08-19T18:32:07Z",
  "published": "2024-08-19T06:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6451"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/fc06d413-a227-470c-a5b7-cdab57aeab34"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q642-PW99-8MX6

Vulnerability from github – Published: 2022-05-17 03:01 – Updated: 2022-05-17 03:01
VLAI
Details

IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 stores potentially sensitive information in in log files that could be read by an authenticated user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-8912"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-01T20:59:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 stores potentially sensitive information in in log files that could be read by an authenticated user.",
  "id": "GHSA-q642-pw99-8mx6",
  "modified": "2022-05-17T03:01:32Z",
  "published": "2022-05-17T03:01:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8912"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/118390"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg21993982"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/94324"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q664-XXJG-CM3G

Vulnerability from github – Published: 2022-05-13 01:15 – Updated: 2022-05-13 01:15
VLAI
Details

On Juniper ATP, the API key and the device key are logged in a file readable by authenticated local users. These keys are used for performing critical operations on the WebUI interface. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-0004"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-15T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "On Juniper ATP, the API key and the device key are logged in a file readable by authenticated local users. These keys are used for performing critical operations on the WebUI interface. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.",
  "id": "GHSA-q664-xxjg-cm3g",
  "modified": "2022-05-13T01:15:19Z",
  "published": "2022-05-13T01:15:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0004"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA10918"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q683-8468-R6H6

Vulnerability from github – Published: 2026-06-26 21:00 – Updated: 2026-06-26 21:00
VLAI
Summary
WebauthnAuthenticator leaks sensitive HTTP headers through INFO-level logs
Details

Impact

Webauthn\Bundle\Security\Http\Authenticator\WebauthnAuthenticator logs the full Symfony\Component\HttpFoundation\Request object inside the log context of both onAuthenticationSuccess() and onAuthenticationFailure() at INFO level:

$this->logger->info('User has been authenticated successfully with Webauthn.', [
    'request' => $request,
    'firewallName' => $firewallName,
    'identifier' => $token->getUserIdentifier(),
]);

$this->logger->info('Webauthn authentication request failed.', [
    'request' => $request,
    'exception' => $exception,
]);

Request::__toString() returns the raw HTTP message, including every request header. As soon as the configured logger normalises or stringifies the context (default behaviour for LineFormatter, JsonFormatter via NormalizerFormatter, etc.), sensitive headers such as Cookie (session identifier), Authorization and any custom auth header are written to the log stream in clear text.

Applications that forward logs to centralised platforms (ELK, Splunk, Datadog and similar) are particularly exposed: log access is typically broader than application access, which can allow log readers to hijack authenticated sessions.

Affected versions

Every release prior to 5.3.4 is affected.

Patches

The fix removes the full Request object from the log context and keeps only non-sensitive fields (request path, method, firewall name, user identifier). It is shipped in 5.3.4. Older branches will not receive a backport; users on those branches should upgrade to 5.3.4+ or apply one of the workarounds below.

Workarounds

Until the upgrade is applied, projects can:

  1. Raise the minimum log level for the WebAuthn authenticator above INFO so these two log records are not emitted in production.
  2. Configure their Monolog processor/formatter to strip the request key from the context of these records before they are written.

Credit

Reported by Kay Joosten (Dawn Technology), maintainer of Stepup-Webauthn.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "web-auth/webauthn-symfony-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T21:00:49Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Impact\n\n`Webauthn\\Bundle\\Security\\Http\\Authenticator\\WebauthnAuthenticator` logs the full `Symfony\\Component\\HttpFoundation\\Request` object inside the log context of both `onAuthenticationSuccess()` and `onAuthenticationFailure()` at INFO level:\n\n```php\n$this-\u003elogger-\u003einfo(\u0027User has been authenticated successfully with Webauthn.\u0027, [\n    \u0027request\u0027 =\u003e $request,\n    \u0027firewallName\u0027 =\u003e $firewallName,\n    \u0027identifier\u0027 =\u003e $token-\u003egetUserIdentifier(),\n]);\n\n$this-\u003elogger-\u003einfo(\u0027Webauthn authentication request failed.\u0027, [\n    \u0027request\u0027 =\u003e $request,\n    \u0027exception\u0027 =\u003e $exception,\n]);\n```\n\n`Request::__toString()` returns the raw HTTP message, including every request header. As soon as the configured logger normalises or stringifies the context (default behaviour for `LineFormatter`, `JsonFormatter` via `NormalizerFormatter`, etc.), sensitive headers such as `Cookie` (session identifier), `Authorization` and any custom auth header are written to the log stream in clear text.\n\nApplications that forward logs to centralised platforms (ELK, Splunk, Datadog and similar) are particularly exposed: log access is typically broader than application access, which can allow log readers to hijack authenticated sessions.\n\n## Affected versions\n\nEvery release prior to 5.3.4 is affected.\n\n## Patches\n\nThe fix removes the full `Request` object from the log context and keeps only non-sensitive fields (request path, method, firewall name, user identifier). It is shipped in 5.3.4. Older branches will not receive a backport; users on those branches should upgrade to 5.3.4+ or apply one of the workarounds below.\n\n## Workarounds\n\nUntil the upgrade is applied, projects can:\n\n1. Raise the minimum log level for the WebAuthn authenticator above INFO so these two log records are not emitted in production.\n2. Configure their Monolog processor/formatter to strip the `request` key from the context of these records before they are written.\n\n## Credit\n\nReported by Kay Joosten (Dawn Technology), maintainer of [Stepup-Webauthn](https://github.com/OpenConext/Stepup-Webauthn).",
  "id": "GHSA-q683-8468-r6h6",
  "modified": "2026-06-26T21:00:49Z",
  "published": "2026-06-26T21:00:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-q683-8468-r6h6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/web-auth/webauthn-framework"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "WebauthnAuthenticator leaks sensitive HTTP headers through INFO-level logs"
}

GHSA-Q6FP-96RM-R5MQ

Vulnerability from github – Published: 2024-01-05 12:30 – Updated: 2026-04-28 21:33
VLAI
Details

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Aaron J 404 Solution.This issue affects 404 Solution: from n/a through 2.33.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52146"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-05T11:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Aaron J 404 Solution.This issue affects 404 Solution: from n/a through 2.33.0.",
  "id": "GHSA-q6fp-96rm-r5mq",
  "modified": "2026-04-28T21:33:45Z",
  "published": "2024-01-05T12:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52146"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/404-solution/wordpress-404-solution-plugin-2-33-0-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q6FR-25PH-FPVF

Vulnerability from github – Published: 2026-06-29 15:32 – Updated: 2026-06-29 15:32
VLAI
Details

HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56457"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-29T14:16:58Z",
    "severity": "MODERATE"
  },
  "details": "HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step.",
  "id": "GHSA-q6fr-25ph-fpvf",
  "modified": "2026-06-29T15:32:06Z",
  "published": "2026-06-29T15:32:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56457"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131694"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q6HQ-Q4XR-93FP

Vulnerability from github – Published: 2022-01-15 00:01 – Updated: 2022-01-22 00:02
VLAI
Details

SAP Business One - version 10.0, extended log stores information that can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-14T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "SAP Business One - version 10.0, extended log stores information that can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.",
  "id": "GHSA-q6hq-q4xr-93fp",
  "modified": "2022-01-22T00:02:03Z",
  "published": "2022-01-15T00:01:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44234"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3106528"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-Q722-MHCX-9M8W

Vulnerability from github – Published: 2025-01-08 03:30 – Updated: 2025-01-08 03:30
VLAI
Details

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file under specific conditions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40679"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-08T01:15:06Z",
    "severity": "MODERATE"
  },
  "details": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file under specific conditions.",
  "id": "GHSA-q722-mhcx-9m8w",
  "modified": "2025-01-08T03:30:23Z",
  "published": "2025-01-08T03:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40679"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7175957"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.