Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1744 vulnerabilities reference this CWE, most recent first.

GHSA-J46J-HR86-QF36

Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2023-02-03 15:31
VLAI
Details

IBM PureApplication System 2.2.3.0 through 2.2.5.3 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 159242.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-4225"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-26T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM PureApplication System 2.2.3.0 through 2.2.5.3 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 159242.",
  "id": "GHSA-j46j-hr86-qf36",
  "modified": "2023-02-03T15:31:18Z",
  "published": "2022-05-24T22:00:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4225"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/159242"
    },
    {
      "type": "WEB",
      "url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10885602"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J4HX-QJGQ-FH5C

Vulnerability from github – Published: 2022-05-14 01:46 – Updated: 2022-05-14 01:46
VLAI
Details

Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the "name" URL parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-14700"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-03T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the \"name\" URL parameter.",
  "id": "GHSA-j4hx-qjgq-fh5c",
  "modified": "2022-05-14T01:46:42Z",
  "published": "2022-05-14T01:46:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14700"
    },
    {
      "type": "WEB",
      "url": "https://blog.securityevaluators.com/call-me-a-doctor-new-vulnerabilities-in-drobo5n2-4f1d885df7fc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J4MW-2JFJ-WQ9H

Vulnerability from github – Published: 2026-04-08 15:31 – Updated: 2026-04-13 18:30
VLAI
Details

Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectScale, versions prior to 4.1.0.3 and version 4.2.0.0, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to secret exposure. The attacker may be able to use the exposed secret to access the vulnerable system with privileges of the compromised account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-28261"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-08T13:16:41Z",
    "severity": "HIGH"
  },
  "details": "Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectScale,\u00a0versions prior to 4.1.0.3 and version 4.2.0.0, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to secret exposure. The attacker may be able to use the exposed secret to access the vulnerable system with privileges of the compromised account.",
  "id": "GHSA-j4mw-2jfj-wq9h",
  "modified": "2026-04-13T18:30:38Z",
  "published": "2026-04-08T15:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28261"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000449325/dsa-2026-143-security-update-for-dell-objectscale-prior-to-4-1-0-3-and-4-2-0-0-insertion-of-sensitive-information-into-log-file-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J536-PJXM-6XVJ

Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19
VLAI
Details

In System Management Module (SMM) versions prior to 1.06, the SMM records hashed passwords to a debug log when user authentication fails.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16095"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-27T14:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In System Management Module (SMM) versions prior to 1.06, the SMM records hashed passwords to a debug log when user authentication fails.",
  "id": "GHSA-j536-pjxm-6xvj",
  "modified": "2022-05-13T01:19:14Z",
  "published": "2022-05-13T01:19:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16095"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/us/en/solutions/LEN-24374"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J5F8-RC75-MMGW

Vulnerability from github – Published: 2022-05-14 03:16 – Updated: 2022-05-14 03:16
VLAI
Details

In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-21T14:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs.",
  "id": "GHSA-j5f8-rc75-mmgw",
  "modified": "2022-05-14T03:16:19Z",
  "published": "2022-05-14T03:16:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11320"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OctopusDeploy/Issues/issues/4578"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J5MC-P7Q3-P89M

Vulnerability from github – Published: 2025-07-15 15:31 – Updated: 2025-07-15 15:31
VLAI
Details

Dell ECS versions prior to 3.8.1.5/ ObjectScale version 4.0.0.0 contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-15T15:15:24Z",
    "severity": "MODERATE"
  },
  "details": "Dell ECS versions prior to 3.8.1.5/ ObjectScale version 4.0.0.0 contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure.",
  "id": "GHSA-j5mc-p7q3-p89m",
  "modified": "2025-07-15T15:31:00Z",
  "published": "2025-07-15T15:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30483"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000339124/dsa-2025-242-security-update-for-dell-ecs-and-dell-objectscale-insertion-of-sensitive-information-into-log-file-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J667-C2HM-F2WP

Vulnerability from github – Published: 2022-02-09 21:59 – Updated: 2024-09-05 00:37
VLAI
Summary
Insertion of Sensitive Information into Log File and Improper Output Neutralization for Logs in ansible
Details

A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0a1"
            },
            {
              "fixed": "2.9.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0a1"
            },
            {
              "fixed": "2.10.1rc2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-14332"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-02T23:18:09Z",
    "nvd_published_at": "2020-09-11T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.",
  "id": "GHSA-j667-c2hm-f2wp",
  "modified": "2024-09-05T00:37:44Z",
  "published": "2022-02-09T21:59:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14332"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/pull/71033"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/291f94934c8c49eef85e6539087f2dfcd001fe4f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/6cae9a4b168df776bf82deb04b2c62e00c38b49a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/714cd2ad2eff7f003d728414afcb91591fad5d9a"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14332"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-j667-c2hm-f2wp"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/blob/stable-2.10/changelogs/CHANGELOG-v2.10.rst#security-fixes-3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst#security-fixes-4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes-6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-4.yaml"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4950"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Insertion of Sensitive Information into Log File and Improper Output Neutralization for Logs in ansible"
}

GHSA-J6HH-H3CF-C2HF

Vulnerability from github – Published: 2026-05-07 06:31 – Updated: 2026-06-18 22:58
VLAI
Summary
Spring Cloud Config Server Logged Sensitive Information
Details

When trace logging is enabled in Spring Cloud Config Server, sensitive information is placed in plain text in the logs.

  • Spring Cloud Config 3.0.x: affected from 3.0.0 through 3.0.7 (inclusive); no open-source upgrade available.
  • Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); no open-source upgrade available.
  • Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); no open-source upgrade available.
  • Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); no open-source upgrade available.
  • Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater.
  • Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-config-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "last_affected": "3.1.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-config-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "last_affected": "4.1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-config-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "last_affected": "4.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-config-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "4.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-config-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-config-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "last_affected": "3.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41004"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T16:19:34Z",
    "nvd_published_at": "2026-05-07T04:16:25Z",
    "severity": "MODERATE"
  },
  "details": "When trace logging is enabled in Spring Cloud Config Server, sensitive information is placed in plain text in the logs.\n\n- Spring Cloud Config 3.0.x: affected from 3.0.0 through 3.0.7 (inclusive); no open-source upgrade available.\n- Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); no open-source upgrade available.\n- Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); no open-source upgrade available.\n- Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); no open-source upgrade available.\n- Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater.\n- Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.",
  "id": "GHSA-j6hh-h3cf-c2hf",
  "modified": "2026-06-18T22:58:06Z",
  "published": "2026-05-07T06:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41004"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spring-cloud/spring-cloud-config"
    },
    {
      "type": "WEB",
      "url": "https://spring.io/security/cve-2026-41004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Spring Cloud Config Server Logged Sensitive Information"
}

GHSA-J6X4-PJR7-HWQ4

Vulnerability from github – Published: 2026-05-21 09:32 – Updated: 2026-05-21 09:32
VLAI
Details

Netatalk 2.1.0 through 4.4.2 inserts LDAP simple-bind passwords into log output in cleartext, which allows an attacker with access to the log files to obtain LDAP credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-44052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-21T08:16:20Z",
    "severity": "HIGH"
  },
  "details": "Netatalk 2.1.0 through 4.4.2 inserts LDAP simple-bind passwords into log output in cleartext, which allows an attacker with access to the log files to obtain LDAP credentials.",
  "id": "GHSA-j6x4-pjr7-hwq4",
  "modified": "2026-05-21T09:32:09Z",
  "published": "2026-05-21T09:32:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44052"
    },
    {
      "type": "WEB",
      "url": "https://netatalk.io/security/CVE-2026-44052"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J72F-H752-MX4W

Vulnerability from github – Published: 2023-11-23 00:28 – Updated: 2023-11-27 21:44
VLAI
Summary
Insertion of Sensitive Information into Log
Details

Impact

If successful login attempts are recorded, the raw tokens are stored in the log table. If a malicious person somehow views the data in the log table, he or she can obtain a raw token, which can then be used to send a request with that user's authority.

When you (1) use the following authentiactors, - AccessTokens (tokens) - JWT (jwt) - HmacSha256 (hmac)

and you (2) log successful login attempts, the raw tokens are stored.

Patches

Upgrade to Shield v1.0.0-beta.8 or later.

Workarounds

Disable logging for successful login attempts by the configuration files.

  • AccessTokens or HmacSha256
  • Set Config\AuthToken::$recordLoginAttempt to Auth::RECORD_LOGIN_ATTEMPT_FAILURE or Auth::RECORD_LOGIN_ATTEMPT_NONE
  • JWT
  • Set Config\AuthJWT::$recordLoginAttempt to Auth::RECORD_LOGIN_ATTEMPT_FAILURE or Auth::RECORD_LOGIN_ATTEMPT_NONE

References

  • https://codeigniter4.github.io/shield/getting_started/authenticators/

For more information

If you have any questions or comments about this advisory: * Open an issue or discussion in codeigniter4/shield * Email us at security@codeigniter.com

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "codeigniter4/shield"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0-beta.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-48708"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-23T00:28:13Z",
    "nvd_published_at": "2023-11-24T18:15:07Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nIf successful login attempts are recorded, the raw tokens are stored in the log table.\nIf a malicious person somehow views the data in the log table, he or she can obtain a raw token, which can then be used to send a request with that user\u0027s authority.\n\nWhen you (1) **use the following authentiactors**,\n- [AccessTokens](https://codeigniter4.github.io/shield/references/authentication/tokens/) (`tokens`)\n- [JWT](https://codeigniter4.github.io/shield/addons/jwt/) (`jwt`)\n- [HmacSha256](https://codeigniter4.github.io/shield/references/authentication/hmac/) (`hmac`)\n\nand you (2) **log successful login attempts**, the raw tokens are stored.\n\n### Patches\nUpgrade to Shield v1.0.0-beta.8 or later.\n\n### Workarounds\nDisable logging for successful login attempts by the configuration files.\n\n- AccessTokens or HmacSha256\n   - Set `Config\\AuthToken::$recordLoginAttempt` to `Auth::RECORD_LOGIN_ATTEMPT_FAILURE` or `Auth::RECORD_LOGIN_ATTEMPT_NONE`\n- JWT\n   - Set `Config\\AuthJWT::$recordLoginAttempt` to `Auth::RECORD_LOGIN_ATTEMPT_FAILURE` or `Auth::RECORD_LOGIN_ATTEMPT_NONE`\n\n### References\n- https://codeigniter4.github.io/shield/getting_started/authenticators/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue or discussion in [codeigniter4/shield](https://github.com/codeigniter4/shield)\n* Email us at [security@codeigniter.com](mailto:security@codeigniter.com)\n",
  "id": "GHSA-j72f-h752-mx4w",
  "modified": "2023-11-27T21:44:44Z",
  "published": "2023-11-23T00:28:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/codeigniter4/shield/security/advisories/GHSA-j72f-h752-mx4w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48708"
    },
    {
      "type": "WEB",
      "url": "https://github.com/codeigniter4/shield/commit/7e84c3fb3411294f70890819bfe51781bb9dc8e4"
    },
    {
      "type": "WEB",
      "url": "https://codeigniter4.github.io/shield/getting_started/authenticators"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/codeigniter4/shield"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insertion of Sensitive Information into Log"
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.