CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1744 vulnerabilities reference this CWE, most recent first.
GHSA-R794-WG43-VP3F
Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-05-24 17:47An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to use the PAN-OS XML API and exists only when a client includes a duplicate API parameter in API requests. Logged information includes the cleartext username, password, and API key of the administrator making the PAN-OS XML API request.
{
"affected": [],
"aliases": [
"CVE-2021-3036"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-20T04:15:00Z",
"severity": "MODERATE"
},
"details": "An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to use the PAN-OS XML API and exists only when a client includes a duplicate API parameter in API requests. Logged information includes the cleartext username, password, and API key of the administrator making the PAN-OS XML API request.",
"id": "GHSA-r794-wg43-vp3f",
"modified": "2022-05-24T17:47:57Z",
"published": "2022-05-24T17:47:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3036"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2021-3036"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R7MG-Q5MV-QG2V
Vulnerability from github – Published: 2025-12-18 15:30 – Updated: 2025-12-18 15:30The Hummingbird Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.18.0 via the 'request' function. This makes it possible for unauthenticated attackers to extract sensitive data including Cloudflare API credentials.
{
"affected": [],
"aliases": [
"CVE-2025-14437"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-18T13:15:47Z",
"severity": "HIGH"
},
"details": "The Hummingbird Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.18.0 via the \u0027request\u0027 function. This makes it possible for unauthenticated attackers to extract sensitive data including Cloudflare API credentials.",
"id": "GHSA-r7mg-q5mv-qg2v",
"modified": "2025-12-18T15:30:43Z",
"published": "2025-12-18T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14437"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3421187/hummingbird-performance"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8755ab3f-ee77-44ea-8620-590f1f1cb333?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R87R-6J6C-XX59
Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2022-03-19 00:01Information Exposure vulnerability in Galaxy S3 Plugin prior to version 2.2.03.22012751 allows attacker to access password information of connected WiFiAp in the log
{
"affected": [],
"aliases": [
"CVE-2022-25826"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-10T17:47:00Z",
"severity": "LOW"
},
"details": "Information Exposure vulnerability in Galaxy S3 Plugin prior to version 2.2.03.22012751 allows attacker to access password information of connected WiFiAp in the log",
"id": "GHSA-r87r-6j6c-xx59",
"modified": "2022-03-19T00:01:33Z",
"published": "2022-03-11T00:02:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25826"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R8MH-6H4V-V5RM
Vulnerability from github – Published: 2022-10-07 18:15 – Updated: 2022-10-11 19:00Insertion of Sensitive Information into Log in PushRegIdUpdateClient of SReminder prior to 8.2.01.13 allows attacker to access device IMEI.
{
"affected": [],
"aliases": [
"CVE-2022-39876"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-07T15:15:00Z",
"severity": "LOW"
},
"details": "Insertion of Sensitive Information into Log in PushRegIdUpdateClient of SReminder prior to 8.2.01.13 allows attacker to access device IMEI.",
"id": "GHSA-r8mh-6h4v-v5rm",
"modified": "2022-10-11T19:00:27Z",
"published": "2022-10-07T18:15:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39876"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R942-7MJ9-P58W
Vulnerability from github – Published: 2026-02-12 00:31 – Updated: 2026-02-12 18:30The issue was resolved by sanitizing logging. This issue is fixed in iOS 26.3 and iPadOS 26.3, iOS 18.7.5 and iPadOS 18.7.5. An app may be able to enumerate a user's installed apps.
{
"affected": [],
"aliases": [
"CVE-2026-20663"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T23:16:08Z",
"severity": "LOW"
},
"details": "The issue was resolved by sanitizing logging. This issue is fixed in iOS 26.3 and iPadOS 26.3, iOS 18.7.5 and iPadOS 18.7.5. An app may be able to enumerate a user\u0027s installed apps.",
"id": "GHSA-r942-7mj9-p58w",
"modified": "2026-02-12T18:30:23Z",
"published": "2026-02-12T00:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20663"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126346"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126347"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R96M-RQ4F-96V2
Vulnerability from github – Published: 2021-12-22 00:00 – Updated: 2022-10-16 19:00Dell EMC Avamar versions 18.2,19.1,19.2,19.3,19.4 contain a plain-text password storage vulnerability. A high privileged user could potentially exploit this vulnerability, leading to a complete outage.
{
"affected": [],
"aliases": [
"CVE-2021-36318"
],
"database_specific": {
"cwe_ids": [
"CWE-522",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-21T17:15:00Z",
"severity": "MODERATE"
},
"details": "Dell EMC Avamar versions 18.2,19.1,19.2,19.3,19.4 contain a plain-text password storage vulnerability. A high privileged user could potentially exploit this vulnerability, leading to a complete outage.",
"id": "GHSA-r96m-rq4f-96v2",
"modified": "2022-10-16T19:00:30Z",
"published": "2021-12-22T00:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36318"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202210-09"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000193369"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R96X-G4H4-74Q6
Vulnerability from github – Published: 2022-05-13 01:08 – Updated: 2022-05-13 01:08An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.
{
"affected": [],
"aliases": [
"CVE-2019-8944"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-20T03:29:00Z",
"severity": "MODERATE"
},
"details": "An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.",
"id": "GHSA-r96x-g4h4-74q6",
"modified": "2022-05-13T01:08:17Z",
"published": "2022-05-13T01:08:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8944"
},
{
"type": "WEB",
"url": "https://github.com/OctopusDeploy/Issues/issues/5314"
},
{
"type": "WEB",
"url": "https://github.com/OctopusDeploy/Issues/issues/5315"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R9RQ-9R78-P9GM
Vulnerability from github – Published: 2023-05-10 15:30 – Updated: 2024-04-04 04:00Insertion of sensitive information into log file in the Open CAS software for Linux maintained by Intel before version 22.6.2 may allow a privileged user to potentially enable information disclosure via local access.
{
"affected": [],
"aliases": [
"CVE-2023-22447"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-10T14:15:28Z",
"severity": "MODERATE"
},
"details": "Insertion of sensitive information into log file in the Open CAS software for Linux maintained by Intel before version 22.6.2 may allow a privileged user to potentially enable information disclosure via local access.",
"id": "GHSA-r9rq-9r78-p9gm",
"modified": "2024-04-04T04:00:33Z",
"published": "2023-05-10T15:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22447"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00827.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RC54-2G2C-G36G
Vulnerability from github – Published: 2025-10-22 19:55 – Updated: 2025-10-23 17:40Impact
OpenBao's audit log did not appropriately redact fields when relevant subsystems sent []byte response parameters rather than strings. This includes, but is not limited to:
sys/rawwith use ofencoding=base64, all data would be emitted unredacted to the audit log.- Transit, when performing a signing operation with a derived Ed25519 key, would emit public keys to the audit log.
Third-party plugins may be affected.
This issue has been present since HashiCorp Vault and continues to impact Vault as of v1.20.4.
Patches
OpenBao v2.4.2 will patch this issue.
Workarounds
If users do not use the above functionality, they are not impacted. To prohibit the use of sys/raw globally, ensure raw_storage_endpoint=false is set or missing from the server configuration.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20251022165510-cc2c476bac66"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62705"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-22T19:55:40Z",
"nvd_published_at": "2025-10-22T22:15:35Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nOpenBao\u0027s audit log did not appropriately redact fields when relevant subsystems sent `[]byte` response parameters rather than `string`s. This includes, but is not limited to:\n\n- `sys/raw` with use of `encoding=base64`, all data would be emitted unredacted to the audit log.\n- Transit, when performing a signing operation with a derived Ed25519 key, would emit public keys to the audit log.\n\nThird-party plugins may be affected.\n\nThis issue has been present since HashiCorp Vault and continues to impact Vault as of v1.20.4. \n\n### Patches\n\nOpenBao v2.4.2 will patch this issue.\n\n### Workarounds\n\nIf users do not use the above functionality, they are not impacted. To prohibit the use of `sys/raw` globally, ensure `raw_storage_endpoint=false` is set or missing from the server configuration.",
"id": "GHSA-rc54-2g2c-g36g",
"modified": "2025-10-23T17:40:56Z",
"published": "2025-10-22T19:55:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/security/advisories/GHSA-rc54-2g2c-g36g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62705"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/commit/cc2c476bac66e1d94776c2629793daec3af625f8"
},
{
"type": "PACKAGE",
"url": "https://github.com/openbao/openbao"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenBao and Vault Leak []byte Fields in Audit Logs "
}
GHSA-RC5C-4C27-CG98
Vulnerability from github – Published: 2022-05-12 00:01 – Updated: 2022-05-20 00:00Under certain conditions, the SAP Host Agent logfile shows information which would otherwise be restricted.
{
"affected": [],
"aliases": [
"CVE-2022-28774"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-11T15:15:00Z",
"severity": "MODERATE"
},
"details": "Under certain conditions, the SAP Host Agent logfile shows information which would otherwise be restricted.",
"id": "GHSA-rc5c-4c27-cg98",
"modified": "2022-05-20T00:00:40Z",
"published": "2022-05-12T00:01:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28774"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3158188"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.