Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1742 vulnerabilities reference this CWE, most recent first.

GHSA-VWCJ-7F4R-R8XJ

Vulnerability from github – Published: 2022-05-13 01:45 – Updated: 2022-05-13 01:45
VLAI
Details

In the IMM2 firmware of Lenovo System x servers, remote commands issued by LXCA or other utilities may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated when that remote command is running. Captured command data may contain clear text login information. Authorized users that can capture and export FFDC service log data may have access to these remote commands.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-3744"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-20T00:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In the IMM2 firmware of Lenovo System x servers, remote commands issued by LXCA or other utilities may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated when that remote command is running. Captured command data may contain clear text login information. Authorized users that can capture and export FFDC service log data may have access to these remote commands.",
  "id": "GHSA-vwcj-7f4r-r8xj",
  "modified": "2022-05-13T01:45:51Z",
  "published": "2022-05-13T01:45:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3744"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/product_security/LEN-14054"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VWQ9-CMQR-3C8C

Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2023-10-26 16:44
VLAI
Summary
Insertion of Sensitive Information into Log File in Jenkins Configuration as Code Plugin
Details

Configuration as Code Plugin logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked (i.e. replaced with asterisks) in that log to prevent accidental disclosure.

Between Configuration as Code Plugin 0.8-alpha and 1.0, log messages contained values if the values were specified using properties in the YAML file (SECURITY-929).

Since Configuration as Code Plugin 1.1, log messages in Configuration as Code Plugin instead mask values of type Secret, which is used in Jenkins to store the values encrypted on disk. This did not work in many instances, as plugins could use the Secret type to store credentials encrypted on disk while not having the Secret type appear in their Java API.

Configuration as Code Plugin now inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of log message masking. As a workaround, administrators can configure the logging level of the logger io.jenkins.plugins.casc.Attribute to a level that does not include INFO messages. See the logging documentation for details.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.24"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.jenkins:configuration-as-code"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10343"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-28T23:08:40Z",
    "nvd_published_at": "2019-07-31T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Configuration as Code Plugin logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked (i.e. replaced with asterisks) in that log to prevent accidental disclosure.\n\nBetween Configuration as Code Plugin 0.8-alpha and 1.0, log messages contained values if the values were specified using properties in the YAML file (SECURITY-929).\n\nSince Configuration as Code Plugin 1.1, log messages in Configuration as Code Plugin instead mask values of type `Secret`, which is used in Jenkins to store the values encrypted on disk. This did not work in many instances, as plugins could use the `Secret` type to store credentials encrypted on disk while not having the Secret type appear in their Java API.\n\nConfiguration as Code Plugin now inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of log message masking. As a workaround, administrators can configure the logging level of the logger `io.jenkins.plugins.casc.Attribute` to a level that does not include `INFO` messages. See the logging documentation for details.",
  "id": "GHSA-vwq9-cmqr-3c8c",
  "modified": "2023-10-26T16:44:50Z",
  "published": "2022-05-24T16:51:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10343"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/configuration-as-code-plugin/commit/73afe3cb10a723cb06e29c2e5499206aadae3a0d"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1279"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/07/31/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insertion of Sensitive Information into Log File in Jenkins Configuration as Code Plugin"
}

GHSA-VX3J-9RM2-Q676

Vulnerability from github – Published: 2024-07-09 18:30 – Updated: 2024-07-09 18:30
VLAI
Details

Multiple Exposure of sensitive information to an unauthorized actor vulnerabilities [CWE-200] in FortiAIOps version 2.0.0 may allow an authenticated, remote attacker to retrieve sensitive information from the API endpoint or log files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27784"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-09T16:15:05Z",
    "severity": "HIGH"
  },
  "details": "Multiple Exposure of sensitive information to an unauthorized actor vulnerabilities [CWE-200] in FortiAIOps version 2.0.0 may allow an authenticated, remote attacker to retrieve sensitive information from the API endpoint or log files.",
  "id": "GHSA-vx3j-9rm2-q676",
  "modified": "2024-07-09T18:30:49Z",
  "published": "2024-07-09T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27784"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-072"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VX74-PG4C-JQ5Q

Vulnerability from github – Published: 2024-03-14 18:30 – Updated: 2024-03-14 18:30
VLAI
Details

Insertion of sensitive information into log file for some Intel(R) Local Manageability Service software before version 2316.5.1.2 may allow an authenticated user to potentially enable information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27502"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-14T17:15:50Z",
    "severity": "LOW"
  },
  "details": "Insertion of sensitive information into log file for some Intel(R) Local Manageability Service software before version 2316.5.1.2 may allow an authenticated user to potentially enable information disclosure via local access.",
  "id": "GHSA-vx74-pg4c-jq5q",
  "modified": "2024-03-14T18:30:30Z",
  "published": "2024-03-14T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27502"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00923.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VX87-P8VV-J974

Vulnerability from github – Published: 2024-03-31 21:30 – Updated: 2026-04-28 21:34
VLAI
Details

Insertion of Sensitive Information into Log File vulnerability in Paid Memberships Pro Paid Memberships Pro – Mailchimp Add On pmpro-mailchimp.This issue affects Paid Memberships Pro – Mailchimp Add On: from n/a through 2.3.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30523"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-31T19:15:46Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of Sensitive Information into Log File vulnerability in Paid Memberships Pro Paid Memberships Pro \u2013 Mailchimp Add On pmpro-mailchimp.This issue affects Paid Memberships Pro \u2013 Mailchimp Add On: from n/a through 2.3.4.",
  "id": "GHSA-vx87-p8vv-j974",
  "modified": "2026-04-28T21:34:27Z",
  "published": "2024-03-31T21:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30523"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/pmpro-mailchimp/wordpress-paid-memberships-pro-mailchimp-add-on-plugin-2-3-4-sensitive-data-exposure-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VX9J-G89F-RRVX

Vulnerability from github – Published: 2026-06-11 00:32 – Updated: 2026-07-07 15:32
VLAI
Details

An information exposure vulnerability in the Palo Alto Networks GlobalProtect app on macOS enables a local user to learn the configured passcodes for disabling, disconnecting, or uninstalling the GlobalProtect app. After the passcode is known, the user can perform these actions even if the GlobalProtect app configuration would not normally permit them to do so.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-10T22:16:53Z",
    "severity": "MODERATE"
  },
  "details": "An information exposure vulnerability in the Palo Alto Networks GlobalProtect app on macOS enables a local user to learn the configured passcodes for disabling, disconnecting, or uninstalling the GlobalProtect app. After the passcode is known, the user can perform these actions even if the GlobalProtect app configuration would not normally permit them to do so.",
  "id": "GHSA-vx9j-g89f-rrvx",
  "modified": "2026-07-07T15:32:50Z",
  "published": "2026-06-11T00:32:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0267"
    },
    {
      "type": "WEB",
      "url": "https://security.paloaltonetworks.com/CVE-2024-8687"
    },
    {
      "type": "WEB",
      "url": "https://security.paloaltonetworks.com/CVE-2026-0267"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VXC5-78F8-RHP4

Vulnerability from github – Published: 2024-04-30 15:30 – Updated: 2024-06-14 15:31
VLAI
Details

Vault Enterprise, when configured with performance standby nodes and a configured audit device, will inadvertently log request headers on the standby node. These logs may have included sensitive HTTP request information in cleartext.

This vulnerability, CVE-2024-2877, was fixed in Vault Enterprise 1.15.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-30T15:15:52Z",
    "severity": "MODERATE"
  },
  "details": "Vault Enterprise, when configured with performance standby nodes and a configured audit device, will inadvertently log request headers on the standby node. These logs may have included sensitive HTTP request information in cleartext.\n\nThis vulnerability, CVE-2024-2877, was fixed in Vault Enterprise 1.15.8.",
  "id": "GHSA-vxc5-78f8-rhp4",
  "modified": "2024-06-14T15:31:24Z",
  "published": "2024-04-30T15:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2877"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hsec-2024-10-vault-enterprise-leaks-sensitive-http-request-headers-in-audit-log-when-deployed-with-a-performance-standby-node"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240614-0002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VXG3-W9RV-RHR2

Vulnerability from github – Published: 2025-08-28 16:46 – Updated: 2025-08-28 16:46
VLAI
Summary
Contrast leaks workload secrets to logs on INFO level
Details

This is the same vulnerability as https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8. The original vulnerability had been fixed for release v1.8.1, but the fix was not ported to the main branch and thus not present in releases v1.9.0 ff.

Below is a brief repetition of the relevant sections from the first GHSA, where you can find the full details.

Impact

  • Workload secrets are visible to Kubernetes users with get or list permission on pods/logs, and thus need to be considered compromised.
  • Since workload secrets are used for encrypted storage and Vault integration, those need to be considered compromised, too.

Patches

Patches:

  • https://github.com/edgelesssys/contrast/commit/5a5512c4af63c17bb66331e7bd2768a863b2f225
  • https://github.com/edgelesssys/contrast/commit/cf58026b30c43fe7df91eac5322da02e1725d554

The patches are released with v1.12.2 and v1.13.0 (not yet published). Since the secrets are compromised, Contrast needs to be initialized from scratch.

Workarounds

Existing workload secrets are compromised. The Contrast cluster needs to be newly initialized, and logging needs to be turned off.

References

First occurrence: * https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8

We are defining a process for handling GHSAs that should prevent such regressions in the future: * https://github.com/edgelesssys/contrast/pull/1739

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.12.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/edgelesssys/contrast"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.9.0"
            },
            {
              "fixed": "1.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-28T16:46:40Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "This is the same vulnerability as https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8. The original vulnerability had been fixed for release `v1.8.1`, but the fix was not ported to the main branch and thus not present in releases `v1.9.0` ff.\n\nBelow is a brief repetition of the relevant sections from the first GHSA, where you can find the full details.\n\n### Impact\n\n* [Workload secrets](https://docs.edgeless.systems/contrast/1.11/architecture/secrets#workload-secrets) are visible to Kubernetes users with `get` or `list` permission on `pods/logs`, and thus need to be considered compromised.\n* Since workload secrets are used for [encrypted storage](https://docs.edgeless.systems/contrast/1.11/howto/encrypted-storage) and [Vault integration](https://docs.edgeless.systems/contrast/1.11/howto/vault), those need to be considered compromised, too.\n\n### Patches\n\nPatches:\n\n* https://github.com/edgelesssys/contrast/commit/5a5512c4af63c17bb66331e7bd2768a863b2f225\n* https://github.com/edgelesssys/contrast/commit/cf58026b30c43fe7df91eac5322da02e1725d554\n\nThe patches are released with `v1.12.2` and `v1.13.0` (not yet published). Since the secrets are compromised, Contrast needs to be initialized from scratch.\n\n### Workarounds\n\nExisting workload secrets are compromised. The Contrast cluster needs to be newly initialized, and logging needs to be turned off. \n\n### References\n\nFirst occurrence:\n* https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8\n\nWe are defining a process for handling GHSAs that should prevent such regressions in the future:\n* https://github.com/edgelesssys/contrast/pull/1739",
  "id": "GHSA-vxg3-w9rv-rhr2",
  "modified": "2025-08-28T16:46:40Z",
  "published": "2025-08-28T16:46:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/contrast/security/advisories/GHSA-vxg3-w9rv-rhr2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/contrast/pull/1739"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/contrast/commit/5a5512c4af63c17bb66331e7bd2768a863b2f225"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/contrast/commit/cf58026b30c43fe7df91eac5322da02e1725d554"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/edgelesssys/contrast"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Contrast leaks workload secrets to logs on INFO level"
}

GHSA-VXVM-QWW3-2FH7

Vulnerability from github – Published: 2023-08-29 18:31 – Updated: 2025-11-03 21:30
VLAI
Summary
MongoDB Driver may publish events containing authentication-related data
Details

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.

Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).

This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mongodb/mongodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "mongodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.6.0"
            },
            {
              "fixed": "3.6.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "mongodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.17.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "mongodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "SwiftURL",
        "name": "github.com/mongodb/mongo-swift-driver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32050"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-30T21:20:44Z",
    "nvd_published_at": "2023-08-29T16:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.\n\nWithout due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).\n\nThis issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).",
  "id": "GHSA-vxvm-qww3-2fh7",
  "modified": "2025-11-03T21:30:53Z",
  "published": "2023-08-29T18:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32050"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mongodb/mongo-php-driver/pull/1235"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mongodb/mongo-swift-driver/pull/643"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mongodb/mongo-php-driver/commit/4495de8313c0d313e4dde906fc7aedf998ee3748"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mongodb/node-mongodb-native/commit/8c8b4c3b8c55f10fb96f63d3bbfa5d408b4ed7d0"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/CDRIVER-3797"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/CXX-2028"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/NODE-3356"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/PHPC-1869"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/SWIFT-1229"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00027.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20231006-0001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MongoDB Driver may publish events containing authentication-related data"
}

GHSA-VXWR-95XC-XXRG

Vulnerability from github – Published: 2022-05-13 01:15 – Updated: 2022-05-13 01:15
VLAI
Details

A password management issue exists where the Organization authentication username and password were stored in plaintext in log files. A locally authenticated attacker who is able to access these stored plaintext credentials can use them to login to the Organization. Affected products are: Juniper Networks Service Insight versions from 15.1R1, prior to 18.1R1. Service Now versions from 15.1R1, prior to 18.1R1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-0032"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-10T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "A password management issue exists where the Organization authentication username and password were stored in plaintext in log files. A locally authenticated attacker who is able to access these stored plaintext credentials can use them to login to the Organization. Affected products are: Juniper Networks Service Insight versions from 15.1R1, prior to 18.1R1. Service Now versions from 15.1R1, prior to 18.1R1.",
  "id": "GHSA-vxwr-95xc-xxrg",
  "modified": "2022-05-13T01:15:22Z",
  "published": "2022-05-13T01:15:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0032"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA10921"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/KB27572"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107885"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.