CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1744 vulnerabilities reference this CWE, most recent first.
GHSA-J46J-HR86-QF36
Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2023-02-03 15:31IBM PureApplication System 2.2.3.0 through 2.2.5.3 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 159242.
{
"affected": [],
"aliases": [
"CVE-2019-4225"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-26T15:15:00Z",
"severity": "MODERATE"
},
"details": "IBM PureApplication System 2.2.3.0 through 2.2.5.3 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 159242.",
"id": "GHSA-j46j-hr86-qf36",
"modified": "2023-02-03T15:31:18Z",
"published": "2022-05-24T22:00:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4225"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/159242"
},
{
"type": "WEB",
"url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10885602"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J4HX-QJGQ-FH5C
Vulnerability from github – Published: 2022-05-14 01:46 – Updated: 2022-05-14 01:46Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the "name" URL parameter.
{
"affected": [],
"aliases": [
"CVE-2018-14700"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-03T22:29:00Z",
"severity": "HIGH"
},
"details": "Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the \"name\" URL parameter.",
"id": "GHSA-j4hx-qjgq-fh5c",
"modified": "2022-05-14T01:46:42Z",
"published": "2022-05-14T01:46:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14700"
},
{
"type": "WEB",
"url": "https://blog.securityevaluators.com/call-me-a-doctor-new-vulnerabilities-in-drobo5n2-4f1d885df7fc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J4MW-2JFJ-WQ9H
Vulnerability from github – Published: 2026-04-08 15:31 – Updated: 2026-04-13 18:30Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectScale, versions prior to 4.1.0.3 and version 4.2.0.0, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to secret exposure. The attacker may be able to use the exposed secret to access the vulnerable system with privileges of the compromised account.
{
"affected": [],
"aliases": [
"CVE-2026-28261"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-08T13:16:41Z",
"severity": "HIGH"
},
"details": "Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectScale,\u00a0versions prior to 4.1.0.3 and version 4.2.0.0, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to secret exposure. The attacker may be able to use the exposed secret to access the vulnerable system with privileges of the compromised account.",
"id": "GHSA-j4mw-2jfj-wq9h",
"modified": "2026-04-13T18:30:38Z",
"published": "2026-04-08T15:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28261"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000449325/dsa-2026-143-security-update-for-dell-objectscale-prior-to-4-1-0-3-and-4-2-0-0-insertion-of-sensitive-information-into-log-file-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J536-PJXM-6XVJ
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19In System Management Module (SMM) versions prior to 1.06, the SMM records hashed passwords to a debug log when user authentication fails.
{
"affected": [],
"aliases": [
"CVE-2018-16095"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-27T14:29:00Z",
"severity": "MODERATE"
},
"details": "In System Management Module (SMM) versions prior to 1.06, the SMM records hashed passwords to a debug log when user authentication fails.",
"id": "GHSA-j536-pjxm-6xvj",
"modified": "2022-05-13T01:19:14Z",
"published": "2022-05-13T01:19:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16095"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/us/en/solutions/LEN-24374"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J5F8-RC75-MMGW
Vulnerability from github – Published: 2022-05-14 03:16 – Updated: 2022-05-14 03:16In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs.
{
"affected": [],
"aliases": [
"CVE-2018-11320"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-21T14:29:00Z",
"severity": "CRITICAL"
},
"details": "In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs.",
"id": "GHSA-j5f8-rc75-mmgw",
"modified": "2022-05-14T03:16:19Z",
"published": "2022-05-14T03:16:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11320"
},
{
"type": "WEB",
"url": "https://github.com/OctopusDeploy/Issues/issues/4578"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J5MC-P7Q3-P89M
Vulnerability from github – Published: 2025-07-15 15:31 – Updated: 2025-07-15 15:31Dell ECS versions prior to 3.8.1.5/ ObjectScale version 4.0.0.0 contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure.
{
"affected": [],
"aliases": [
"CVE-2025-30483"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-15T15:15:24Z",
"severity": "MODERATE"
},
"details": "Dell ECS versions prior to 3.8.1.5/ ObjectScale version 4.0.0.0 contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure.",
"id": "GHSA-j5mc-p7q3-p89m",
"modified": "2025-07-15T15:31:00Z",
"published": "2025-07-15T15:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30483"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000339124/dsa-2025-242-security-update-for-dell-ecs-and-dell-objectscale-insertion-of-sensitive-information-into-log-file-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J667-C2HM-F2WP
Vulnerability from github – Published: 2022-02-09 21:59 – Updated: 2024-09-05 00:37A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0a1"
},
{
"fixed": "2.9.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0a1"
},
{
"fixed": "2.10.1rc2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-14332"
],
"database_specific": {
"cwe_ids": [
"CWE-117",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-02T23:18:09Z",
"nvd_published_at": "2020-09-11T18:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.",
"id": "GHSA-j667-c2hm-f2wp",
"modified": "2024-09-05T00:37:44Z",
"published": "2022-02-09T21:59:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14332"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/pull/71033"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/291f94934c8c49eef85e6539087f2dfcd001fe4f"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/6cae9a4b168df776bf82deb04b2c62e00c38b49a"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/714cd2ad2eff7f003d728414afcb91591fad5d9a"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14332"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-j667-c2hm-f2wp"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansible/ansible"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/blob/stable-2.10/changelogs/CHANGELOG-v2.10.rst#security-fixes-3"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst#security-fixes-4"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes-6"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-4.yaml"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4950"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Insertion of Sensitive Information into Log File and Improper Output Neutralization for Logs in ansible"
}
GHSA-J6HH-H3CF-C2HF
Vulnerability from github – Published: 2026-05-07 06:31 – Updated: 2026-06-18 22:58When trace logging is enabled in Spring Cloud Config Server, sensitive information is placed in plain text in the logs.
- Spring Cloud Config 3.0.x: affected from 3.0.0 through 3.0.7 (inclusive); no open-source upgrade available.
- Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); no open-source upgrade available.
- Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); no open-source upgrade available.
- Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); no open-source upgrade available.
- Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater.
- Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-config-server"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"last_affected": "3.1.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-config-server"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"last_affected": "4.1.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-config-server"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0"
},
{
"last_affected": "4.2.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.3.2"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-config-server"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0"
},
{
"fixed": "4.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.0.2"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-config-server"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-config-server"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"last_affected": "3.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41004"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-11T16:19:34Z",
"nvd_published_at": "2026-05-07T04:16:25Z",
"severity": "MODERATE"
},
"details": "When trace logging is enabled in Spring Cloud Config Server, sensitive information is placed in plain text in the logs.\n\n- Spring Cloud Config 3.0.x: affected from 3.0.0 through 3.0.7 (inclusive); no open-source upgrade available.\n- Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); no open-source upgrade available.\n- Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); no open-source upgrade available.\n- Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); no open-source upgrade available.\n- Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater.\n- Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.",
"id": "GHSA-j6hh-h3cf-c2hf",
"modified": "2026-06-18T22:58:06Z",
"published": "2026-05-07T06:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41004"
},
{
"type": "PACKAGE",
"url": "https://github.com/spring-cloud/spring-cloud-config"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2026-41004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Spring Cloud Config Server Logged Sensitive Information"
}
GHSA-J6X4-PJR7-HWQ4
Vulnerability from github – Published: 2026-05-21 09:32 – Updated: 2026-05-21 09:32Netatalk 2.1.0 through 4.4.2 inserts LDAP simple-bind passwords into log output in cleartext, which allows an attacker with access to the log files to obtain LDAP credentials.
{
"affected": [],
"aliases": [
"CVE-2026-44052"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-21T08:16:20Z",
"severity": "HIGH"
},
"details": "Netatalk 2.1.0 through 4.4.2 inserts LDAP simple-bind passwords into log output in cleartext, which allows an attacker with access to the log files to obtain LDAP credentials.",
"id": "GHSA-j6x4-pjr7-hwq4",
"modified": "2026-05-21T09:32:09Z",
"published": "2026-05-21T09:32:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44052"
},
{
"type": "WEB",
"url": "https://netatalk.io/security/CVE-2026-44052"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J72F-H752-MX4W
Vulnerability from github – Published: 2023-11-23 00:28 – Updated: 2023-11-27 21:44Impact
If successful login attempts are recorded, the raw tokens are stored in the log table. If a malicious person somehow views the data in the log table, he or she can obtain a raw token, which can then be used to send a request with that user's authority.
When you (1) use the following authentiactors,
- AccessTokens (tokens)
- JWT (jwt)
- HmacSha256 (hmac)
and you (2) log successful login attempts, the raw tokens are stored.
Patches
Upgrade to Shield v1.0.0-beta.8 or later.
Workarounds
Disable logging for successful login attempts by the configuration files.
- AccessTokens or HmacSha256
- Set
Config\AuthToken::$recordLoginAttempttoAuth::RECORD_LOGIN_ATTEMPT_FAILUREorAuth::RECORD_LOGIN_ATTEMPT_NONE - JWT
- Set
Config\AuthJWT::$recordLoginAttempttoAuth::RECORD_LOGIN_ATTEMPT_FAILUREorAuth::RECORD_LOGIN_ATTEMPT_NONE
References
- https://codeigniter4.github.io/shield/getting_started/authenticators/
For more information
If you have any questions or comments about this advisory: * Open an issue or discussion in codeigniter4/shield * Email us at security@codeigniter.com
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "codeigniter4/shield"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0-beta.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-48708"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-23T00:28:13Z",
"nvd_published_at": "2023-11-24T18:15:07Z",
"severity": "MODERATE"
},
"details": "### Impact\nIf successful login attempts are recorded, the raw tokens are stored in the log table.\nIf a malicious person somehow views the data in the log table, he or she can obtain a raw token, which can then be used to send a request with that user\u0027s authority.\n\nWhen you (1) **use the following authentiactors**,\n- [AccessTokens](https://codeigniter4.github.io/shield/references/authentication/tokens/) (`tokens`)\n- [JWT](https://codeigniter4.github.io/shield/addons/jwt/) (`jwt`)\n- [HmacSha256](https://codeigniter4.github.io/shield/references/authentication/hmac/) (`hmac`)\n\nand you (2) **log successful login attempts**, the raw tokens are stored.\n\n### Patches\nUpgrade to Shield v1.0.0-beta.8 or later.\n\n### Workarounds\nDisable logging for successful login attempts by the configuration files.\n\n- AccessTokens or HmacSha256\n - Set `Config\\AuthToken::$recordLoginAttempt` to `Auth::RECORD_LOGIN_ATTEMPT_FAILURE` or `Auth::RECORD_LOGIN_ATTEMPT_NONE`\n- JWT\n - Set `Config\\AuthJWT::$recordLoginAttempt` to `Auth::RECORD_LOGIN_ATTEMPT_FAILURE` or `Auth::RECORD_LOGIN_ATTEMPT_NONE`\n\n### References\n- https://codeigniter4.github.io/shield/getting_started/authenticators/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue or discussion in [codeigniter4/shield](https://github.com/codeigniter4/shield)\n* Email us at [security@codeigniter.com](mailto:security@codeigniter.com)\n",
"id": "GHSA-j72f-h752-mx4w",
"modified": "2023-11-27T21:44:44Z",
"published": "2023-11-23T00:28:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/codeigniter4/shield/security/advisories/GHSA-j72f-h752-mx4w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48708"
},
{
"type": "WEB",
"url": "https://github.com/codeigniter4/shield/commit/7e84c3fb3411294f70890819bfe51781bb9dc8e4"
},
{
"type": "WEB",
"url": "https://codeigniter4.github.io/shield/getting_started/authenticators"
},
{
"type": "PACKAGE",
"url": "https://github.com/codeigniter4/shield"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Insertion of Sensitive Information into Log"
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.