CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1744 vulnerabilities reference this CWE, most recent first.
CVE-2024-47083 (GCVE-0-2024-47083)
Vulnerability from cvelistv5 – Published: 2024-09-25 21:21 – Updated: 2024-09-26 15:39| URL | Tags |
|---|---|
| https://github.com/microsoft/terraform-provider-p… | x_refsource_CONFIRM |
| https://github.com/microsoft/terraform-provider-p… | x_refsource_MISC |
| https://registry.terraform.io/providers/microsoft… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| microsoft | terraform-provider-power-platform |
Affected:
< 3.0.0
|
|
| microsoft | terraform_provider_power_platform |
Affected:
0 , < 3.0.0
(custom)
cpe:2.3:a:microsoft:terraform_provider_power_platform:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:microsoft:terraform_provider_power_platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "terraform_provider_power_platform",
"vendor": "microsoft",
"versions": [
{
"lessThan": "3.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T15:03:36.920582Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T15:39:10.861Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "terraform-provider-power-platform",
"vendor": "microsoft",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Power Platform Terraform Provider allows managing environments and other resources within Power Platform. Versions prior to 3.0.0 have an issue in the Power Platform Terraform Provider where sensitive information, specifically the `client_secret` used in the service principal authentication, may be exposed in logs. This exposure occurs due to an error in the logging code that causes the `client_secret` to not be properly masked when logs are persisted or viewed. Users should upgrade to version 3.0.0 to receive a patched version of the provider that removes all logging of sensitive content. Users who have used this provider with the affected versions should take the following additional steps to mitigate the risk: Immediately rotate the `client_secret` for any service principal that has been configured using this Terraform provider. This will invalidate any potentially exposed secrets. Those who have set the `TF_LOG_PATH` environment variable or configured Terraform to persist logs to a file or an external system, consider disabling this until they have updated to a fixed version of the provider. Those who have existing logs that may contain the `client_secret` should remove or sanitize these logs to prevent unauthorized access. This includes logs on disk, in monitoring systems, or in logging services."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117: Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T21:21:28.818Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/microsoft/terraform-provider-power-platform/security/advisories/GHSA-7w3w-pjm5-m36c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/microsoft/terraform-provider-power-platform/security/advisories/GHSA-7w3w-pjm5-m36c"
},
{
"name": "https://github.com/microsoft/terraform-provider-power-platform/releases/tag/v3.0.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/microsoft/terraform-provider-power-platform/releases/tag/v3.0.0"
},
{
"name": "https://registry.terraform.io/providers/microsoft/power-platform/latest/docs#authenticating-to-power-platform-using-a-service-principal-with-oidc",
"tags": [
"x_refsource_MISC"
],
"url": "https://registry.terraform.io/providers/microsoft/power-platform/latest/docs#authenticating-to-power-platform-using-a-service-principal-with-oidc"
}
],
"source": {
"advisory": "GHSA-7w3w-pjm5-m36c",
"discovery": "UNKNOWN"
},
"title": "Power Platform Terraform Provider has Improper Masking of Secrets in Logs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47083",
"datePublished": "2024-09-25T21:21:28.818Z",
"dateReserved": "2024-09-17T17:42:37.030Z",
"dateUpdated": "2024-09-26T15:39:10.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45674 (GCVE-0-2024-45674)
Vulnerability from cvelistv5 – Published: 2025-02-21 23:29 – Updated: 2025-08-15 14:26- CWE-532 - Insertion of Sensitive Information into Log File
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7183801 | vendor-advisorypatch |
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Security Verify Bridge Directory Sync |
Affected:
1.0.1 , ≤ 1.0.12
(semver)
cpe:2.3:a:ibm:security_verify_bridge:1.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:security_verify_bridge:1.0.12:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45674",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-22T15:32:32.616059Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-22T15:32:48.772Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:security_verify_bridge:1.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:security_verify_bridge:1.0.12:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Security Verify Bridge Directory Sync",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "1.0.12",
"status": "affected",
"version": "1.0.1",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Security Verify Bridge Directory Sync 1.0.1 through 1.0.12, IBM Security Verify Gateway for Windows Login 1.0.1 through 1.0.10, and IBM Security Verify Gateway for Radius 1.0.1 through 1.0.11 \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003estores potentially sensitive information in log files that could be read by a local user.\u003c/span\u003e"
}
],
"value": "IBM Security Verify Bridge Directory Sync 1.0.1 through 1.0.12, IBM Security Verify Gateway for Windows Login 1.0.1 through 1.0.10, and IBM Security Verify Gateway for Radius 1.0.1 through 1.0.11 \n\nstores potentially sensitive information in log files that could be read by a local user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T14:26:14.800Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7183801"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Security Verify Bridge information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-45674",
"datePublished": "2025-02-21T23:29:17.020Z",
"dateReserved": "2024-09-03T13:50:43.964Z",
"dateUpdated": "2025-08-15T14:26:14.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45091 (GCVE-0-2024-45091)
Vulnerability from cvelistv5 – Published: 2025-01-21 00:41 – Updated: 2025-01-21 16:41- CWE-532 - Insertion of Sensitive Information into Log File
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | UrbanCode Deploy |
Affected:
7.0 , ≤ 7.0.5.24
(semver)
Affected: 7.1 , ≤ 7.1.2.10 (semver) Affected: 7.2 , ≤ 7.2.3.13 (semver) cpe:2.3:a:ibm:urbancode_deploy:7.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:urbancode_deploy:7.0.5.24:*:*:*:*:*:*:* cpe:2.3:a:ibm:urbancode_deploy:7.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:urbancode_deploy:7.1.2.10:*:*:*:*:*:*:* cpe:2.3:a:ibm:urbancode_deploy:7.2:*:*:*:*:*:*:* cpe:2.3:a:ibm:urbancode_deploy:7.2.3.13:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45091",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T16:41:01.015063Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T16:41:10.360Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:urbancode_deploy:7.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:urbancode_deploy:7.0.5.24:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:urbancode_deploy:7.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:urbancode_deploy:7.1.2.10:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:urbancode_deploy:7.2:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:urbancode_deploy:7.2.3.13:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "UrbanCode Deploy",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "7.0.5.24",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.1.2.10",
"status": "affected",
"version": "7.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.2.3.13",
"status": "affected",
"version": "7.2",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.24, 7.1 through 7.1.2.10, and 7.2 through 7.2.3.13 stores potentially sensitive information in log files that could be read by a local user with access to HTTP request logs."
}
],
"value": "IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.24, 7.1 through 7.1.2.10, and 7.2 through 7.2.3.13 stores potentially sensitive information in log files that could be read by a local user with access to HTTP request logs."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T00:41:45.398Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7177857"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM UrbanCode Deploy information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-45091",
"datePublished": "2025-01-21T00:41:45.398Z",
"dateReserved": "2024-08-21T19:11:14.496Z",
"dateUpdated": "2025-01-21T16:41:10.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43990 (GCVE-0-2024-43990)
Vulnerability from cvelistv5 – Published: 2024-09-25 14:47 – Updated: 2026-04-28 16:10- CWE-532 - Insertion of Sensitive Information into Log File
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/ms-… | vdb-entry |
| Vendor | Product | Version | |
|---|---|---|---|
| StylemixThemes | Masterstudy LMS Starter |
Affected:
n/a , ≤ 1.1.8
(custom)
|
|
| stylemixthemes | masterstudy_lms |
Affected:
0 , < 1.1.9
(custom)
cpe:2.3:a:stylemixthemes:masterstudy_lms:*:*:*:*:*:wordpress:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:stylemixthemes:masterstudy_lms:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "masterstudy_lms",
"vendor": "stylemixthemes",
"versions": [
{
"lessThan": "1.1.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43990",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T15:09:32.398070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T15:11:47.219Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Masterstudy LMS Starter",
"vendor": "StylemixThemes",
"versions": [
{
"changes": [
{
"at": "1.1.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.1.8",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Peng Zhou (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insertion of Sensitive Information into Log File vulnerability in StylemixThemes Masterstudy LMS Starter.\u003cp\u003eThis issue affects Masterstudy LMS Starter: from n/a through 1.1.8.\u003c/p\u003e"
}
],
"value": "Insertion of Sensitive Information into Log File vulnerability in StylemixThemes Masterstudy LMS Starter.This issue affects Masterstudy LMS Starter: from n/a through 1.1.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:15.116Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/ms-lms-starter-theme/wordpress-masterstudy-lms-starter-theme-1-1-8-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.1.9 or a higher version."
}
],
"value": "Update to 1.1.9 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Masterstudy LMS Starter theme \u003c= 1.1.8 - Sensitive Data Exposure vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-43990",
"datePublished": "2024-09-25T14:47:29.522Z",
"dateReserved": "2024-08-18T21:57:25.381Z",
"dateUpdated": "2026-04-28T16:10:15.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-43781 (GCVE-0-2024-43781)
Vulnerability from cvelistv5 – Published: 2024-09-10 09:36 – Updated: 2024-09-10 14:38- CWE-532 - Insertion of Sensitive Information into Log File
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens | SINUMERIK 828D V4 |
Affected:
0 , < V4.95 SP3
(custom)
|
|
| Siemens | SINUMERIK 840D sl V4 |
Affected:
0 , < V4.95 SP3
(custom)
|
|
| Siemens | SINUMERIK ONE |
Affected:
0 , < V6.23
(custom)
|
|
| Siemens | SINUMERIK ONE |
Affected:
0 , < V6.15 SP4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43781",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T14:38:29.713747Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T14:38:36.778Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "SINUMERIK 828D V4",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.95 SP3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SINUMERIK 840D sl V4",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.95 SP3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SINUMERIK ONE",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V6.23",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SINUMERIK ONE",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V6.15 SP4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in SINUMERIK 828D V4 (All versions \u003c V4.95 SP3), SINUMERIK 840D sl V4 (All versions \u003c V4.95 SP3 in connection with using Create MyConfig (CMC) \u003c= V4.8 SP1 HF6), SINUMERIK ONE (All versions \u003c V6.23 in connection with using Create MyConfig (CMC) \u003c= V6.6), SINUMERIK ONE (All versions \u003c V6.15 SP4 in connection with using Create MyConfig (CMC) \u003c= V6.6). Affected systems, that have been provisioned with Create MyConfig (CMC), contain a Insertion of Sensitive Information into Log File vulnerability. This could allow a local authenticated user with low privileges to read sensitive information and thus circumvent access restrictions."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV4_0": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T09:36:51.143Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-097786.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2024-43781",
"datePublished": "2024-09-10T09:36:51.143Z",
"dateReserved": "2024-08-16T10:13:58.486Z",
"dateUpdated": "2024-09-10T14:38:36.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43444 (GCVE-0-2024-43444)
Vulnerability from cvelistv5 – Published: 2024-08-26 08:42 – Updated: 2024-08-29 07:36- CWE-532 - Insertion of Sensitive Information into Log File
| Vendor | Product | Version | |
|---|---|---|---|
| OTRS AG | OTRS |
Affected:
7.0.x , ≤ 7.0.50
(Patch)
Affected: 8.0.x Affected: 2023.x Affected: 2024.x , ≤ 2024.5.x (Patch) |
|
| OTRS AG | ((OTRS)) Community Edition |
Affected:
6.0.x
|
|
| otrs | otrs |
Affected:
7.0.0 , ≤ 7.0.50
(custom)
Affected: 8.0.0 Affected: 2023.0 Affected: 2024.0 , ≤ 2024.5.0 (custom) cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:* |
|
| otrs | otrs |
Affected:
6.0.0
cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "otrs",
"vendor": "otrs",
"versions": [
{
"lessThanOrEqual": "7.0.50",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "2023.0"
},
{
"lessThanOrEqual": "2024.5.0",
"status": "affected",
"version": "2024.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*"
],
"defaultStatus": "affected",
"product": "otrs",
"vendor": "otrs",
"versions": [
{
"status": "affected",
"version": "6.0.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43444",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T13:57:06.436622Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T14:01:52.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"Log Module",
"Agent Authentication",
"Customer Authentication"
],
"product": "OTRS",
"vendor": "OTRS AG",
"versions": [
{
"lessThanOrEqual": "7.0.50",
"status": "affected",
"version": "7.0.x",
"versionType": "Patch"
},
{
"status": "affected",
"version": "8.0.x"
},
{
"status": "affected",
"version": "2023.x"
},
{
"lessThanOrEqual": "2024.5.x",
"status": "affected",
"version": "2024.x",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "affected",
"modules": [
"Log Module",
"Agent Authentication",
"Customer Authentication"
],
"product": "((OTRS)) Community Edition",
"vendor": "OTRS AG",
"versions": [
{
"status": "affected",
"version": "6.0.x"
}
]
}
],
"datePublic": "2024-08-26T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003ePasswords of agents and customers are displayed in plain text in the OTRS admin log module if certain configurations regarding the authentication sources match and debugging for the authentication backend has been enabled.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003eThis issue affects: \u003c/p\u003e\u003cul\u003e\u003cli\u003eOTRS from 7.0.X through 7.0.50\u003c/li\u003e\u003cli\u003eOTRS 8.0.X\u003c/li\u003e\u003cli\u003eOTRS 2023.X\u003c/li\u003e\u003cli\u003eOTRS from 2024.X through 2024.5.X\u003c/li\u003e\u003cli\u003e((OTRS)) Community Edition: 6.0.x\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e\u003cdiv\u003eProducts based on the ((OTRS)) Community Edition also very likely to be affected\u003c/div\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Passwords of agents and customers are displayed in plain text in the OTRS admin log module if certain configurations regarding the authentication sources match and debugging for the authentication backend has been enabled.\n\nThis issue affects: \n\n * OTRS from 7.0.X through 7.0.50\n * OTRS 8.0.X\n * OTRS 2023.X\n * OTRS from 2024.X through 2024.5.X\n * ((OTRS)) Community Edition: 6.0.x\n\nProducts based on the ((OTRS)) Community Edition also very likely to be affected"
}
],
"impacts": [
{
"capecId": "CAPEC-545",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-545 Pull Data from System Resources"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T07:36:13.555Z",
"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8",
"shortName": "OTRS"
},
"references": [
{
"url": "https://otrs.com/release-notes/otrs-security-advisory-2024-12/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to OTRS 2024.6.x or OTRS 7.0.51\u003cbr\u003e"
}
],
"value": "Update to OTRS 2024.6.x or OTRS 7.0.51"
}
],
"source": {
"advisory": "OSA-2024-12",
"defect": [
"Issue#2725",
"Ticket#2024072442001041",
"Ticket#2024072442000677"
],
"discovery": "USER"
},
"title": "Passwords are written to Admin Log Module",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8",
"assignerShortName": "OTRS",
"cveId": "CVE-2024-43444",
"datePublished": "2024-08-26T08:42:58.796Z",
"dateReserved": "2024-08-13T13:38:47.973Z",
"dateUpdated": "2024-08-29T07:36:13.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42407 (GCVE-0-2024-42407)
Vulnerability from cvelistv5 – Published: 2024-12-12 01:36 – Updated: 2024-12-12 15:18- CWE-532 - Insertion of Sensitive Information into Log File
| Vendor | Product | Version | |
|---|---|---|---|
| Gallagher | Command Centre Server |
Affected:
0 , ≤ 8.80
(custom)
Affected: 9.10 , < 9.10.2149 (MR4) (custom) Affected: 9.00 , < 9.00.2374 (MR5) (custom) Affected: 8.90 , < 8.90.2356 (MR6) (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42407",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T15:17:42.519556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T15:18:01.369Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Command Centre Server",
"vendor": "Gallagher",
"versions": [
{
"lessThanOrEqual": "8.80",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "9.10.2149 (MR4)",
"status": "affected",
"version": "9.10",
"versionType": "custom"
},
{
"lessThan": "9.00.2374 (MR5)",
"status": "affected",
"version": "9.00",
"versionType": "custom"
},
{
"lessThan": "8.90.2356 (MR6)",
"status": "affected",
"version": "8.90",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eInsertion of Sensitive Information into Log File (CWE-532) in the Gallagher Command Centre Alarm Transmitter feature could allow an authenticated Operator to view some security sensitive information to which they have not been granted access. \u003cbr\u003e\u003cbr\u003eThis issue affects: Command Centre Server 9.10 prior to 9.10.2149 (MR4), 9.00 prior to 9.00.2374 (MR5), 8.90 prior to 8.90.2356 (MR6),\u0026nbsp;all versions of 8.80 and prior.\n\n\u003c/span\u003e"
}
],
"value": "Insertion of Sensitive Information into Log File (CWE-532) in the Gallagher Command Centre Alarm Transmitter feature could allow an authenticated Operator to view some security sensitive information to which they have not been granted access. \n\nThis issue affects: Command Centre Server 9.10 prior to 9.10.2149 (MR4), 9.00 prior to 9.00.2374 (MR5), 8.90 prior to 8.90.2356 (MR6),\u00a0all versions of 8.80 and prior."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T01:36:12.364Z",
"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"shortName": "Gallagher"
},
"references": [
{
"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-42407"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"assignerShortName": "Gallagher",
"cveId": "CVE-2024-42407",
"datePublished": "2024-12-12T01:36:12.364Z",
"dateReserved": "2024-08-28T02:46:11.141Z",
"dateUpdated": "2024-12-12T15:18:01.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42349 (GCVE-0-2024-42349)
Vulnerability from cvelistv5 – Published: 2024-08-02 20:01 – Updated: 2024-08-05 19:46- CWE-532 - Insertion of Sensitive Information into Log File
| URL | Tags |
|---|---|
| https://github.com/FOGProject/fogproject/security… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| FOGProject | fogproject |
Affected:
< 1.5.10.47
|
|
| fogproject | fogproject |
Affected:
0 , < 1.5.10.47
(custom)
cpe:2.3:a:fogproject:fogproject:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fogproject:fogproject:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fogproject",
"vendor": "fogproject",
"versions": [
{
"lessThan": "1.5.10.47",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42349",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T19:40:49.867520Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T19:46:15.123Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fogproject",
"vendor": "FOGProject",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.10.47"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FOG is a cloning/imaging/rescue suite/inventory management system. FOG Server 1.5.10.41.4 and earlier can leak authorized and rejected logins via logs stored directly on the root of the web server. FOG Server creates 2 logs on the root of the web server (fog_login_accepted.log and fog_login_failed.log), exposing the name of the user account used to manage FOG, the IP address of the computer used to login and the User-Agent. This vulnerability is fixed in 1.5.10.47."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T20:01:29.055Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FOGProject/fogproject/security/advisories/GHSA-697m-3c4p-g29h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FOGProject/fogproject/security/advisories/GHSA-697m-3c4p-g29h"
}
],
"source": {
"advisory": "GHSA-697m-3c4p-g29h",
"discovery": "UNKNOWN"
},
"title": "FOG has a Log Information Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-42349",
"datePublished": "2024-08-02T20:01:29.055Z",
"dateReserved": "2024-07-30T14:01:33.921Z",
"dateUpdated": "2024-08-05T19:46:15.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42344 (GCVE-0-2024-42344)
Vulnerability from cvelistv5 – Published: 2024-09-10 09:36 – Updated: 2024-09-10 14:54- CWE-532 - Insertion of Sensitive Information into Log File
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens | SINEMA Remote Connect Client |
Affected:
0 , < V3.2 SP2
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42344",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T14:54:03.621110Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T14:54:10.749Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "SINEMA Remote Connect Client",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.2 SP2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in SINEMA Remote Connect Client (All versions \u003c V3.2 SP2). The affected application inserts sensitive information into a log file which is readable by all legitimate users of the underlying system. This could allow an authenticated attacker to compromise the confidentiality of other users\u0027 configuration data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T09:36:47.430Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-417159.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2024-42344",
"datePublished": "2024-09-10T09:36:47.430Z",
"dateReserved": "2024-07-30T11:53:04.709Z",
"dateUpdated": "2024-09-10T14:54:10.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42196 (GCVE-0-2024-42196)
Vulnerability from cvelistv5 – Published: 2024-12-06 14:47 – Updated: 2024-12-06 17:46- CWE-532 - Insertion of Sensitive Information into Log File
| Vendor | Product | Version | |
|---|---|---|---|
| HCL Software | Launch |
Affected:
7.0 - 7.0.5.24, 7.1 - 7.1.2.20, 7.2 - 7.2.3.13
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42196",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T17:45:59.793618Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T17:46:09.269Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Launch",
"vendor": "HCL Software",
"versions": [
{
"status": "affected",
"version": "7.0 - 7.0.5.24, 7.1 - 7.1.2.20, 7.2 - 7.2.3.13"
}
]
}
],
"datePublic": "2024-12-06T04:34:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "HCL Launch stores potentially sensitive information in log files that could be read by a local user with access to HTTP request logs."
}
],
"value": "HCL Launch stores potentially sensitive information in log files that could be read by a local user with access to HTTP request logs."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T14:47:34.691Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0117910"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL Launch is susceptible to Insertion of Sensitive Information into Log File vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2024-42196",
"datePublished": "2024-12-06T14:47:34.691Z",
"dateReserved": "2024-07-29T21:32:08.372Z",
"dateUpdated": "2024-12-06T17:46:09.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.