Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1744 vulnerabilities reference this CWE, most recent first.

GHSA-V38P-4R5V-PVCQ

Vulnerability from github – Published: 2022-05-17 02:47 – Updated: 2025-04-20 03:36
VLAI
Details

On the TP-Link TL-SG108E 1.0, a remote attacker could retrieve credentials from "SEND data" log lines where passwords are encoded in hexadecimal. This affects the 1.1.2 Build 20141017 Rel.50749 firmware.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8074"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-23T16:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "On the TP-Link TL-SG108E 1.0, a remote attacker could retrieve credentials from \"SEND data\" log lines where passwords are encoded in hexadecimal. This affects the 1.1.2 Build 20141017 Rel.50749 firmware.",
  "id": "GHSA-v38p-4r5v-pvcq",
  "modified": "2025-04-20T03:36:32Z",
  "published": "2022-05-17T02:47:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8074"
    },
    {
      "type": "WEB",
      "url": "https://chmod750.com/2017/04/23/vulnerability-disclosure-tp-link"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97981"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V39G-WRM7-W5P9

Vulnerability from github – Published: 2024-03-28 09:31 – Updated: 2026-04-28 21:34
VLAI
Details

Insertion of Sensitive Information into Log File vulnerability in PeepSo Community by PeepSo.This issue affects Community by PeepSo: from n/a through 6.2.7.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25923"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-28T07:15:55Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of Sensitive Information into Log File vulnerability in PeepSo Community by PeepSo.This issue affects Community by PeepSo: from n/a through 6.2.7.0.",
  "id": "GHSA-v39g-wrm7-w5p9",
  "modified": "2026-04-28T21:34:24Z",
  "published": "2024-03-28T09:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25923"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/peepso-core/wordpress-community-by-peepso-plugin-6-2-7-0-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V3FV-V9M6-26G3

Vulnerability from github – Published: 2023-05-16 18:30 – Updated: 2023-05-17 03:36
VLAI
Summary
Jenkins HashiCorp Vault Plugin has improper masking of credentials
Details

Jenkins HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask (i.e., replace with asterisks) credentials printed in the build log from Pipeline steps like sh and bat, when both of the following conditions are met:

  • The credentials are printed in build steps executing on an agent (typically inside a node block).

  • Push mode for durable task logging is enabled. This is a hidden option in Pipeline: Nodes and Processes that can be enabled through the Java system property org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING. It is also automatically enabled by some plugins, e.g., OpenTelemetry and Pipeline Logging over CloudWatch.

An improvement in Credentials Binding 523.525.vb_72269281873 implements a workaround that applies build log masking even in affected plugins. This workaround is temporary and potentially incomplete, so it is still recommended that affected plugins be updated to resolve this issue.

As of publication of this advisory, there is no fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.datapipe.jenkins.plugins:hashicorp-vault-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "360.v0a"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-33001"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-17T03:36:48Z",
    "nvd_published_at": "2023-05-16T17:15:12Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask (i.e., replace with asterisks) credentials printed in the build log from Pipeline steps like `sh` and `bat`, when both of the following conditions are met:\n\n- The credentials are printed in build steps executing on an agent (typically inside a `node` block).\n\n- Push mode for durable task logging is enabled. This is a hidden option in Pipeline: Nodes and Processes that can be enabled through the Java system property `org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING`. It is also automatically enabled by some plugins, e.g., OpenTelemetry and Pipeline Logging over CloudWatch.\n\nAn improvement in Credentials Binding 523.525.vb_72269281873 implements a workaround that applies build log masking even in affected plugins. This workaround is temporary and potentially incomplete, so it is still recommended that affected plugins be updated to resolve this issue.\n\nAs of publication of this advisory, there is no fix.",
  "id": "GHSA-v3fv-v9m6-26g3",
  "modified": "2023-05-17T03:36:48Z",
  "published": "2023-05-16T18:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33001"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3077"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins HashiCorp Vault Plugin has improper masking of credentials"
}

GHSA-V3VC-6QCV-4VRX

Vulnerability from github – Published: 2025-02-11 18:31 – Updated: 2025-02-11 20:10
VLAI
Summary
Apache NiFi: Potential Insertion of Sensitive Parameter Values in Debug Log
Details

Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Parameter Context values during the flow synchronization process. An authorized administrator with access to change logging levels could enable debug logging for framework flow synchronization, causing the application to write Parameter names and values to the application log. Parameter Context values may contain sensitive information depending on application flow configuration. Deployments of Apache NiFi with the default Logback configuration do not log Parameter Context values. Upgrading to Apache NiFi 2.0.0 or 1.28.1 is the recommendation mitigation, eliminating Parameter value logging from the flow synchronization process regardless of the Logback configuration.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.nifi:nifi-framework-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.16.0"
            },
            {
              "fixed": "1.28.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.0-M4"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.nifi:nifi-framework-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-M1"
            },
            {
              "fixed": "2.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52067"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-11T20:10:45Z",
    "nvd_published_at": "2024-11-21T11:15:35Z",
    "severity": "MODERATE"
  },
  "details": "Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Parameter Context values during the flow synchronization process. An authorized administrator with access to change logging levels could enable debug logging for framework flow synchronization, causing the application to write Parameter names and values to the application log. Parameter Context values may contain sensitive information depending on application flow configuration. Deployments of Apache NiFi with the default Logback configuration do not log Parameter Context values. Upgrading to Apache NiFi 2.0.0 or 1.28.1 is the recommendation mitigation, eliminating Parameter value logging from the flow synchronization process regardless of the Logback configuration.",
  "id": "GHSA-v3vc-6qcv-4vrx",
  "modified": "2025-02-11T20:10:46Z",
  "published": "2025-02-11T18:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52067"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/nifi/commit/5aed878c5d2a193cd2039c2e997bc3025046bc41"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/nifi/commit/c1108365949268631526d5016b1a163a82f8e9df"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/nifi"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/NIFI-13971"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/9rz5rwn2zc7pfjq7ppqldqlc067tlcwd"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/11/20/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/AU:Y/R:U/V:D/RE:L/U:Green",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache NiFi: Potential Insertion of Sensitive Parameter Values in Debug Log"
}

GHSA-V4PF-63WF-QFWW

Vulnerability from github – Published: 2022-11-16 12:00 – Updated: 2022-11-18 00:30
VLAI
Details

Information Exposure Through Log Files vulnerability discovered in Foundry when logs were captured using an underlying library known as Build2. This issue was present in versions earlier than 1.785.0. Upgrade to Build2 version 1.785.0 or greater.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-27895"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-15T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Information Exposure Through Log Files vulnerability discovered in Foundry when logs were captured using an underlying library known as Build2. This issue was present in versions earlier than 1.785.0. Upgrade to Build2 version 1.785.0 or greater.",
  "id": "GHSA-v4pf-63wf-qfww",
  "modified": "2022-11-18T00:30:18Z",
  "published": "2022-11-16T12:00:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27895"
    },
    {
      "type": "WEB",
      "url": "https://github.com/palantir/security-bulletins/blob/main/PLTRSEC-2022-06.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V554-XWGW-HC3W

Vulnerability from github – Published: 2024-05-15 17:09 – Updated: 2024-05-15 19:30
VLAI
Summary
source-controller leaks Azure Storage SAS token into logs
Details

Impact

When source-controller is configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires.

Patches

This vulnerability was fixed in source-controller v1.2.5.

Workarounds

There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.

Credits

This issue was reported and fixed by Jagpreet Singh Tamber (@jagpreetstamber) from the Azure Arc team.

References

https://github.com/fluxcd/source-controller/pull/1430

For more information

If you have any questions or comments about this advisory:

  • Open an issue in the source-controller repository.
  • Contact us at the CNCF Flux Channel.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fluxcd/source-controller"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-31216"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-15T17:09:24Z",
    "nvd_published_at": "2024-05-15T16:15:10Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWhen source-controller is configured to use an [Azure SAS token](https://v2-2.docs.fluxcd.io/flux/components/source/buckets/#azure-blob-sas-token-example) when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires.\n\n### Patches\n\nThis vulnerability was fixed in source-controller **v1.2.5**.\n\n### Workarounds\n\nThere is no workaround for this vulnerability except for using a different auth mechanism such as [Azure Workload Identity](https://v2-2.docs.fluxcd.io/flux/components/source/buckets/#azure). \n\n### Credits\n\nThis issue was reported and fixed by Jagpreet Singh Tamber (@jagpreetstamber) from the Azure Arc team.\n\n### References\n\nhttps://github.com/fluxcd/source-controller/pull/1430\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open an issue in the source-controller repository.\n- Contact us at the CNCF Flux Channel.\n",
  "id": "GHSA-v554-xwgw-hc3w",
  "modified": "2024-05-15T19:30:09Z",
  "published": "2024-05-15T17:09:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31216"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fluxcd/source-controller/pull/1430"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fluxcd/source-controller"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "source-controller leaks Azure Storage SAS token into logs"
}

GHSA-V5J2-W836-Q3P2

Vulnerability from github – Published: 2022-06-08 00:00 – Updated: 2022-06-12 00:00
VLAI
Details

Sensitive information exposure in Sign-in log in Samsung Account prior to version 13.2.00.6 allows attackers to get an user email or phone number without permission.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30733"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-07T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Sensitive information exposure in Sign-in log in Samsung Account prior to version 13.2.00.6 allows attackers to get an user email or phone number without permission.",
  "id": "GHSA-v5j2-w836-q3p2",
  "modified": "2022-06-12T00:00:45Z",
  "published": "2022-06-08T00:00:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30733"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5W4-FVFM-37M6

Vulnerability from github – Published: 2025-01-14 18:32 – Updated: 2025-01-14 18:32
VLAI
Details

Windows Kernel Memory Information Disclosure Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21323"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-14T18:15:56Z",
    "severity": "MODERATE"
  },
  "details": "Windows Kernel Memory Information Disclosure Vulnerability",
  "id": "GHSA-v5w4-fvfm-37m6",
  "modified": "2025-01-14T18:32:04Z",
  "published": "2025-01-14T18:32:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21323"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21323"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V6FX-59RV-2M7Q

Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45
VLAI
Details

Information Exposure vulnerability in Samsung Account prior to version 12.1.1.3 allows physically proximate attackers to access user information via log.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25350"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-25T17:15:00Z",
    "severity": "LOW"
  },
  "details": "Information Exposure vulnerability in Samsung Account prior to version 12.1.1.3 allows physically proximate attackers to access user information via log.",
  "id": "GHSA-v6fx-59rv-2m7q",
  "modified": "2022-05-24T17:45:23Z",
  "published": "2022-05-24T17:45:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25350"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V6MG-7F7P-QMQP

Vulnerability from github – Published: 2024-06-04 17:52 – Updated: 2024-06-04 17:52
VLAI
Summary
apko Exposure of HTTP basic auth credentials in log output
Details

Summary

Exposure of HTTP basic auth credentials from repository and keyring URLs in log output

Details

There was a handful of instances where the apko tool was outputting error messages and log entries where HTTP basic authentication credentials were exposed for one of two reasons:

  1. The%s verb was used to format a url.URL as a string, which includes un-redacted HTTP basic authentication credentials if they are included in the URL.
  2. A string URL value (such as from the configuration YAML file supplied used in an apko execution) was never parsed as a URL, so there was no chance of redacting credentials in the logical flow.

apko, as well as its companion library go-apk, have been updated to ensure URLs are parsed and redacted before being output as string values.

PoC

Create a config file like this apko.yaml:

contents:
  keyring:
    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
  repositories:
    - https://me%40example.com:supersecretpassword@localhost:8080/os
  packages:
    - wolfi-base

cmd: /bin/sh -l

archs:
- x86_64
- aarch64

Then run:

apko build apko.yaml latest foo.tar --log-level debug

Observe instances of the password being shown verbatim in the log output, such as:

...
DEBU image configuration:
contents:
    repositories:
        - https://me%40example.com:supersecretpassword@localhost:8080/os
    keyring:
        - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
    packages:
        - wolfi-base
...

Impact

For users accessing keyring or APK repository content using HTTP basic auth, credentials were being logged in plaintext, depending on the user's logging settings. If you use apko in continuous integration jobs, it is likely that the credentials leak via logs of these jobs. Depending on the accessibility of these logs, this could be a company-internal or public leakage of credentials.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "chainguard.dev/apko"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-36127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-04T17:52:15Z",
    "nvd_published_at": "2024-06-03T15:15:09Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nExposure of HTTP basic auth credentials from repository and keyring URLs in log output\n\n### Details\n\nThere was a handful of instances where the `apko` tool was outputting error messages and log entries where HTTP basic authentication credentials were exposed for one of two reasons:\n\n1. The`%s` verb was used to format a `url.URL` as a string, which includes un-redacted HTTP basic authentication credentials if they are included in the URL.\n2. A string URL value (such as from the configuration YAML file supplied used in an apko execution) was never parsed as a URL, so there was no chance of redacting credentials in the logical flow.\n\napko, as well as its companion library `go-apk`, have been updated to ensure URLs are parsed and redacted before being output as string values.\n\n### PoC\n\nCreate a config file like this `apko.yaml`:\n\n```yaml\ncontents:\n  keyring:\n    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub\n  repositories:\n    - https://me%40example.com:supersecretpassword@localhost:8080/os\n  packages:\n    - wolfi-base\n\ncmd: /bin/sh -l\n\narchs:\n- x86_64\n- aarch64\n```\n\nThen run:\n\n```shell\napko build apko.yaml latest foo.tar --log-level debug\n```\n\nObserve instances of the password being shown verbatim in the log output, such as:\n\n```text\n...\nDEBU image configuration:\ncontents:\n    repositories:\n        - https://me%40example.com:supersecretpassword@localhost:8080/os\n    keyring:\n        - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub\n    packages:\n        - wolfi-base\n...\n```\n\n### Impact\n\nFor users accessing keyring or APK repository content using HTTP basic auth, credentials were being logged in plaintext, depending on the user\u0027s logging settings. If you use apko in continuous integration jobs, it is likely that the credentials leak via logs of these jobs. Depending on the accessibility of these logs, this could be a company-internal or public leakage of credentials.",
  "id": "GHSA-v6mg-7f7p-qmqp",
  "modified": "2024-06-04T17:52:15Z",
  "published": "2024-06-04T17:52:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-v6mg-7f7p-qmqp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36127"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chainguard-dev/apko/commit/2c0533e4d52e83031a04f6a83ec63fc2a11eff01"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/chainguard-dev/apko"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "apko Exposure of HTTP basic auth credentials in log output"
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.