CWE-1295
AllowedDebug Messages Revealing Unnecessary Information
Abstraction: Base · Status: Incomplete
The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.
41 vulnerabilities reference this CWE, most recent first.
GHSA-3FF6-X43R-FCJ7
Vulnerability from github – Published: 2024-02-10 03:30 – Updated: 2024-02-10 03:30Dell BSAFE SSL-J, versions prior to 6.5, and versions 7.0 and 7.1 contain a debug message revealing unnecessary information vulnerability. This may lead to disclosing sensitive information to a locally privileged user.
{
"affected": [],
"aliases": [
"CVE-2023-28077"
],
"database_specific": {
"cwe_ids": [
"CWE-1295",
"CWE-200"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-10T03:15:07Z",
"severity": "MODERATE"
},
"details": "\nDell BSAFE SSL-J, versions prior to 6.5, and versions 7.0 and 7.1 contain a debug message revealing unnecessary information vulnerability. This may lead to disclosing sensitive information to a locally privileged user. \n\n",
"id": "GHSA-3ff6-x43r-fcj7",
"modified": "2024-02-10T03:30:19Z",
"published": "2024-02-10T03:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28077"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000214287/dsa-2023-156-dell-bsafe-ssl-j-7-1-1-security-update"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-46C3-5XC5-WWHV
Vulnerability from github – Published: 2024-11-15 09:32 – Updated: 2025-01-21 17:59Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "airflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.10.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45784"
],
"database_specific": {
"cwe_ids": [
"CWE-1295"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-15T20:35:11Z",
"nvd_published_at": "2024-11-15T09:15:14Z",
"severity": "HIGH"
},
"details": "Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability.\u00a0If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.",
"id": "GHSA-46c3-5xc5-wwhv",
"modified": "2025-01-21T17:59:27Z",
"published": "2024-11-15T09:32:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45784"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/43040"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-182.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/11/15/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Airflow: Sensitive configuration values are not masked in the logs by default"
}
GHSA-4M2M-3RVH-CP5P
Vulnerability from github – Published: 2026-01-26 12:30 – Updated: 2026-01-27 09:30The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi).
{
"affected": [],
"aliases": [
"CVE-2025-59109"
],
"database_specific": {
"cwe_ids": [
"CWE-1295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-26T10:16:08Z",
"severity": "MODERATE"
},
"details": "The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi).",
"id": "GHSA-4m2m-3rvh-cp5p",
"modified": "2026-01-27T09:30:29Z",
"published": "2026-01-26T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59109"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/dkaccess"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/dormakaba"
},
{
"type": "WEB",
"url": "https://www.dormakabagroup.com/en/security-advisories"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2026/Jan/24"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-6J5X-6P93-F5M6
Vulnerability from github – Published: 2025-04-10 15:31 – Updated: 2025-04-10 15:31An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.9.6, and 17.10 before 17.10.4. The runtime profiling data of a specific service was accessible to unauthenticated users.
{
"affected": [],
"aliases": [
"CVE-2025-2469"
],
"database_specific": {
"cwe_ids": [
"CWE-1295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-10T14:15:27Z",
"severity": "LOW"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.9.6, and 17.10 before 17.10.4. The runtime profiling data of a specific service was accessible to unauthenticated users.",
"id": "GHSA-6j5x-6p93-f5m6",
"modified": "2025-04-10T15:31:49Z",
"published": "2025-04-10T15:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2469"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3030586"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/525374"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6VG5-GH5C-GR5C
Vulnerability from github – Published: 2025-11-18 18:32 – Updated: 2025-11-18 18:32A debug messages revealing unnecessary information vulnerability in Fortinet FortiExtender 7.6.0 through 7.6.1, FortiExtender 7.4.0 through 7.4.6, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated user to obtain administrator credentials via debug log commands.
{
"affected": [],
"aliases": [
"CVE-2025-46775"
],
"database_specific": {
"cwe_ids": [
"CWE-1295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-18T17:16:01Z",
"severity": "MODERATE"
},
"details": "A debug messages revealing unnecessary information vulnerability in Fortinet FortiExtender 7.6.0 through 7.6.1, FortiExtender 7.4.0 through 7.4.6, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated user to obtain administrator credentials via debug log commands.",
"id": "GHSA-6vg5-gh5c-gr5c",
"modified": "2025-11-18T18:32:53Z",
"published": "2025-11-18T18:32:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46775"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-259"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-72MH-368W-4Q93
Vulnerability from github – Published: 2025-04-01 06:30 – Updated: 2026-04-01 18:34Debug Messages Revealing Unnecessary Information vulnerability in TLA Media GTM Kit allows Retrieve Embedded Sensitive Data. This issue affects GTM Kit: from n/a through 2.3.1.
{
"affected": [],
"aliases": [
"CVE-2025-31001"
],
"database_specific": {
"cwe_ids": [
"CWE-1295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-01T06:15:55Z",
"severity": "HIGH"
},
"details": "Debug Messages Revealing Unnecessary Information vulnerability in TLA Media GTM Kit allows Retrieve Embedded Sensitive Data. This issue affects GTM Kit: from n/a through 2.3.1.",
"id": "GHSA-72mh-368w-4q93",
"modified": "2026-04-01T18:34:19Z",
"published": "2025-04-01T06:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31001"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/gtm-kit/vulnerability/wordpress-gtm-kit-plugin-2-3-1-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-85H4-FVWM-CJX7
Vulnerability from github – Published: 2025-09-29 21:30 – Updated: 2025-09-29 21:30Medical Informatics Engineering Enterprise Health includes the user's current session token in debug output. An attacker could convince a user to send this output to the attacker, thus allowing the attacker to impersonate that user. This issue is fixed as of 2025-04-08.
{
"affected": [],
"aliases": [
"CVE-2025-35031"
],
"database_specific": {
"cwe_ids": [
"CWE-1295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-29T20:15:32Z",
"severity": "MODERATE"
},
"details": "Medical Informatics Engineering Enterprise Health includes the user\u0027s current session token in debug output. An attacker could convince a user to send this output to the attacker, thus allowing the attacker to impersonate that user. This issue is fixed as of 2025-04-08.",
"id": "GHSA-85h4-fvwm-cjx7",
"modified": "2025-09-29T21:30:26Z",
"published": "2025-09-29T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35031"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-272-01.json"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-35031"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9C9R-3PVJ-MX5R
Vulnerability from github – Published: 2024-04-11 21:30 – Updated: 2024-04-11 21:30C300 information leak due to an analysis feature which allows extracting more memory over the network than required by the function. Honeywell recommends updating to the most recent version of the product. See Honeywell Security Notification for recommendations on upgrading and versioning.
{
"affected": [],
"aliases": [
"CVE-2023-5392"
],
"database_specific": {
"cwe_ids": [
"CWE-1295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-11T20:15:09Z",
"severity": "HIGH"
},
"details": "C300 information leak due to an analysis feature which allows extracting more memory over the network than required by the function.\u00a0Honeywell recommends updating to the most recent version of the product. See Honeywell Security Notification for recommendations on upgrading and versioning. \n\n",
"id": "GHSA-9c9r-3pvj-mx5r",
"modified": "2024-04-11T21:30:50Z",
"published": "2024-04-11T21:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5392"
},
{
"type": "WEB",
"url": "https://process.honeywell.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C363-2F5P-C4CV
Vulnerability from github – Published: 2024-11-15 21:30 – Updated: 2024-11-15 21:30A vulnerability was found in the OAuth-server. OAuth-server logs the OAuth2 client secret when the logLevel is Debug higher for OIDC/GitHub/GitLab/Google IDPs login options.
{
"affected": [],
"aliases": [
"CVE-2024-11217"
],
"database_specific": {
"cwe_ids": [
"CWE-1295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-15T21:15:06Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in the OAuth-server. OAuth-server logs the OAuth2 client secret when the logLevel is Debug higher for OIDC/GitHub/GitLab/Google IDPs login options.",
"id": "GHSA-c363-2f5p-c4cv",
"modified": "2024-11-15T21:30:47Z",
"published": "2024-11-15T21:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11217"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-11217"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2326230"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CH48-9R3Q-PV7X
Vulnerability from github – Published: 2023-06-22 20:01 – Updated: 2023-06-22 20:01Description
Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.
https://vaadin.com/security/cve-2023-25500
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:flow-server"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:flow-server"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.0"
},
{
"fixed": "2.9.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:flow-server"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "9.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:flow-server"
},
"ranges": [
{
"events": [
{
"introduced": "23.0.0"
},
{
"fixed": "23.3.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:flow-server"
},
"ranges": [
{
"events": [
{
"introduced": "24.0.0"
},
{
"fixed": "24.0.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:flow-server"
},
"ranges": [
{
"events": [
{
"introduced": "24.1.alpha1"
},
{
"fixed": "24.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:vaadin"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.24"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:vaadin"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:vaadin"
},
"ranges": [
{
"events": [
{
"introduced": "15.0.0"
},
{
"fixed": "22.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:vaadin"
},
"ranges": [
{
"events": [
{
"introduced": "23.0.0"
},
{
"fixed": "23.3.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:vaadin"
},
"ranges": [
{
"events": [
{
"introduced": "24.0.0"
},
{
"fixed": "24.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:vaadin"
},
"ranges": [
{
"events": [
{
"introduced": "24.1.0.alpha1"
},
{
"fixed": "24.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-25500"
],
"database_specific": {
"cwe_ids": [
"CWE-1295",
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-22T20:01:03Z",
"nvd_published_at": "2023-06-22T13:15:09Z",
"severity": "LOW"
},
"details": "### Description\nPossible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.\n\nhttps://vaadin.com/security/cve-2023-25500",
"id": "GHSA-ch48-9r3q-pv7x",
"modified": "2023-06-22T20:01:03Z",
"published": "2023-06-22T20:01:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vaadin/platform/security/advisories/GHSA-ch48-9r3q-pv7x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25500"
},
{
"type": "WEB",
"url": "https://github.com/vaadin/flow/pull/16935"
},
{
"type": "PACKAGE",
"url": "https://github.com/vaadin/platform"
},
{
"type": "WEB",
"url": "https://vaadin.com/security/cve-2023-25500"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Vaadin vulnerable to possible information disclosure of class and method names in RPC response"
}
Mitigation
Ensure that a debug message does not reveal any unnecessary information during the debug process for the intended response.
CAPEC-121: Exploit Non-Production Interfaces
An adversary exploits a sample, demonstration, test, or debug interface that is unintentionally enabled on a production system, with the goal of gleaning information or leveraging functionality that would otherwise be unavailable.