CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1744 vulnerabilities reference this CWE, most recent first.
GHSA-JG7W-CXJV-98C2
Vulnerability from github – Published: 2023-10-31 22:23 – Updated: 2023-11-03 15:41SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. When the provided datastore URI is malformed (e.g. by having a password which contains :) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0-rc1 patches this issue.
Example output:
terminated with errors error="unable to create migration driver for postgres: parse \"postgres://spicedb:<PASSWORD IN PLAINTEXT>": invalid port \"<PASSWORD IN PLAINTEXT>\" after host"
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/authzed/spicedb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.27.0-rc1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46255"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-31T22:23:44Z",
"nvd_published_at": "2023-10-31T16:15:10Z",
"severity": "MODERATE"
},
"details": "SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. When the provided datastore URI is malformed (e.g. by having a password which contains `:`) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0-rc1 patches this issue.\n\nExample output:\n```\nterminated with errors error=\"unable to create migration driver for postgres: parse \\\"postgres://spicedb:\u003cPASSWORD IN PLAINTEXT\u003e\": invalid port \\\"\u003cPASSWORD IN PLAINTEXT\u003e\\\" after host\"\n```",
"id": "GHSA-jg7w-cxjv-98c2",
"modified": "2023-11-03T15:41:54Z",
"published": "2023-10-31T22:23:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46255"
},
{
"type": "WEB",
"url": "https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8"
},
{
"type": "PACKAGE",
"url": "https://github.com/authzed/spicedb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "SpiceDB leaks information in log files when URI cannot be parsed"
}
GHSA-JH6V-7WRW-4XXR
Vulnerability from github – Published: 2024-04-19 06:30 – Updated: 2025-02-04 18:30A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a prints Brocade Fabric OS switch encrypted passwords in the Brocade SANnav Standby node's support save.
{
"affected": [],
"aliases": [
"CVE-2024-29959"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-19T04:15:10Z",
"severity": "HIGH"
},
"details": "A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a prints Brocade Fabric OS switch encrypted passwords in the Brocade SANnav Standby node\u0027s support save.",
"id": "GHSA-jh6v-7wrw-4xxr",
"modified": "2025-02-04T18:30:44Z",
"published": "2024-04-19T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29959"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/external/content/SecurityAdvisories/0/23243"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JHF3-PH2M-2VJQ
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14(1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to obtain sensitive information (the DB2 or MongoDB password) by reading the log file.
{
"affected": [],
"aliases": [
"CVE-2013-6384"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-11-23T18:55:00Z",
"severity": "LOW"
},
"details": "(1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to obtain sensitive information (the DB2 or MongoDB password) by reading the log file.",
"id": "GHSA-jhf3-ph2m-2vjq",
"modified": "2022-05-13T01:14:24Z",
"published": "2022-05-13T01:14:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6384"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/ceilometer/+bug/1244476"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/11/22/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/11/25/3"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JJ3R-G3MJ-2CMM
Vulnerability from github – Published: 2025-11-04 03:30 – Updated: 2025-12-17 21:30A logging issue was addressed with improved data redaction. This issue is fixed in iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, visionOS 26.1. An attacker with physical access to an unlocked device paired with a Mac may be able to view sensitive user information in system logging.
{
"affected": [],
"aliases": [
"CVE-2025-43423"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-04T02:15:48Z",
"severity": "LOW"
},
"details": "A logging issue was addressed with improved data redaction. This issue is fixed in iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, visionOS 26.1. An attacker with physical access to an unlocked device paired with a Mac may be able to view sensitive user information in system logging.",
"id": "GHSA-jj3r-g3mj-2cmm",
"modified": "2025-12-17T21:30:35Z",
"published": "2025-11-04T03:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43423"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125632"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125633"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125634"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125635"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125638"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JJ6H-V242-C8GG
Vulnerability from github – Published: 2025-12-17 21:30 – Updated: 2026-04-02 21:32A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.2, iOS 26.2 and iPadOS 26.2, watchOS 26.2. An app may be able to access a user’s Safari history.
{
"affected": [],
"aliases": [
"CVE-2025-46277"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-17T21:16:13Z",
"severity": "LOW"
},
"details": "A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.2, iOS 26.2 and iPadOS 26.2, watchOS 26.2. An app may be able to access a user\u2019s Safari history.",
"id": "GHSA-jj6h-v242-c8gg",
"modified": "2026-04-02T21:32:40Z",
"published": "2025-12-17T21:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46277"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125884"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125886"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125890"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JJ89-4799-J2QV
Vulnerability from github – Published: 2023-04-20 00:30 – Updated: 2024-04-04 03:36When instructing cloud-init to set a random password for a new user account, versions before 21.2 would write that password to the world-readable log file /var/log/cloud-init-output.log. This could allow a local user to log in as another user.
{
"affected": [],
"aliases": [
"CVE-2021-3429"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-19T22:15:10Z",
"severity": "MODERATE"
},
"details": "When instructing cloud-init to set a random password for a new user account, versions before 21.2 would write that password to the world-readable log file /var/log/cloud-init-output.log. This could allow a local user to log in as another user.",
"id": "GHSA-jj89-4799-j2qv",
"modified": "2024-04-04T03:36:28Z",
"published": "2023-04-20T00:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3429"
},
{
"type": "WEB",
"url": "https://github.com/canonical/cloud-init/commit/b794d426b9ab43ea9d6371477466070d86e10668"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JJXF-26C9-77GM
Vulnerability from github – Published: 2024-09-02 06:30 – Updated: 2024-09-06 21:41Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/vault"
},
"ranges": [
{
"events": [
{
"introduced": "1.17.3"
},
{
"fixed": "1.17.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-8365"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-03T20:47:47Z",
"nvd_published_at": "2024-09-02T05:15:17Z",
"severity": "MODERATE"
},
"details": "Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC\u2019d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.",
"id": "GHSA-jjxf-26c9-77gm",
"modified": "2024-09-06T21:41:33Z",
"published": "2024-09-02T06:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8365"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-jjxf-26c9-77gm"
},
{
"type": "PACKAGE",
"url": "github.com/hashicorp/vault"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Vault Leaks Client Token and Token Accessor in Audit Devices"
}
GHSA-JM5J-JFRM-HM23
Vulnerability from github – Published: 2026-01-13 20:30 – Updated: 2026-01-13 20:30Thanks, @thunze for reporting this!
hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form since https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1 in: https://github.com/softwarepub/hermes/blob/3a92f42b2b976fdbc2c49a621de6d665364a7cee/src/hermes/commands/cli.py#L66
If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file.
Impact
As currently, hermes.log is not yet uploaded automatically as an artifact in CI, this vuln impacts:
- local users working on shared access computers, where logs may be written to a commonly accessible file system
- CI users whose CI logs are accessible to others, e.g., through group or organization rights
Potentially, if the changes merged from https://github.com/softwarepub/ci-templates/pull/13 are merged into ci-templates via https://github.com/softwarepub/ci-templates/pull/14, this would automate the disclosure of Invenio auth tokens at least for all CI runs against Invenio instances!
Patches
This has been patched in hermes 0.9.1 by masking all values passed using -O.
Workarounds
Upgrade to hermes >= 0.9.1.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.0"
},
"package": {
"ecosystem": "PyPI",
"name": "hermes"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.1"
},
{
"fixed": "0.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22798"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-13T20:30:54Z",
"nvd_published_at": "2026-01-12T22:16:08Z",
"severity": "MODERATE"
},
"details": "Thanks, @thunze for reporting this!\n\n`hermes` subcommands take arbitrary options under the `-O` argument. These have been logged in raw form since https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1 in: https://github.com/softwarepub/hermes/blob/3a92f42b2b976fdbc2c49a621de6d665364a7cee/src/hermes/commands/cli.py#L66\n\nIf users provide sensitive data such as API tokens (e.g., via `hermes deposit -O invenio_rdm.auth_token SECRET`), these are written to the log file in plain text, making them available to whoever can access the log file.\n\n### Impact\n\nAs currently, `hermes.log` is not yet uploaded automatically as an artifact in CI, this vuln impacts:\n\n- local users working on shared access computers, where logs may be written to a commonly accessible file system\n- CI users whose CI logs are accessible to others, e.g., through group or organization rights\n\nPotentially, if the changes merged from https://github.com/softwarepub/ci-templates/pull/13 are merged into `ci-templates` via https://github.com/softwarepub/ci-templates/pull/14, this would automate the disclosure of Invenio auth tokens at least for all CI runs against Invenio instances!\n\n### Patches\n\nThis has been patched in [`hermes` 0.9.1](TODO) by masking all values passed using `-O`.\n\n### Workarounds\n\nUpgrade to `hermes` \u003e= 0.9.1.",
"id": "GHSA-jm5j-jfrm-hm23",
"modified": "2026-01-13T20:30:54Z",
"published": "2026-01-13T20:30:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/softwarepub/hermes/security/advisories/GHSA-jm5j-jfrm-hm23"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22798"
},
{
"type": "WEB",
"url": "https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1"
},
{
"type": "WEB",
"url": "https://github.com/softwarepub/hermes/commit/90cb86acd026e7841f2539ae7a1b284a7f263514"
},
{
"type": "PACKAGE",
"url": "https://github.com/softwarepub/hermes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "hermes\u0027s raw options logging may disclose secrets passed in via subcommand options argument"
}
GHSA-JMPC-VPWQ-88Q3
Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2023-02-03 21:30On version 1.9.0, If DEBUG logging is enable, F5 Container Ingress Service (CIS) for Kubernetes and Red Hat OpenShift (k8s-bigip-ctlr) log files may contain BIG-IP secrets such as SSL Private Keys and Private key Passphrases as provided as inputs by an AS3 Declaration.
{
"affected": [],
"aliases": [
"CVE-2019-6648"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-04T16:15:00Z",
"severity": "MODERATE"
},
"details": "On version 1.9.0, If DEBUG logging is enable, F5 Container Ingress Service (CIS) for Kubernetes and Red Hat OpenShift (k8s-bigip-ctlr) log files may contain BIG-IP secrets such as SSL Private Keys and Private key Passphrases as provided as inputs by an AS3 Declaration.",
"id": "GHSA-jmpc-vpwq-88q3",
"modified": "2023-02-03T21:30:35Z",
"published": "2022-05-24T16:55:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6648"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K74327432"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K74327432?utm_source=f5support\u0026amp;utm_medium=RSS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JMRG-WP7G-G3WC
Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-04-04 00:03In various firmware versions of Lenovo System x, the integrated management module II (IMM2)'s first failure data capture (FFDC) includes the web server's private key in the generated log file for support.
{
"affected": [],
"aliases": [
"CVE-2019-6157"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-22T16:29:00Z",
"severity": "HIGH"
},
"details": "In various firmware versions of Lenovo System x, the integrated management module II (IMM2)\u0027s first failure data capture (FFDC) includes the web server\u0027s private key in the generated log file for support.",
"id": "GHSA-jmrg-wp7g-g3wc",
"modified": "2024-04-04T00:03:37Z",
"published": "2022-05-24T16:44:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6157"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/solutions/LEN-25667"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.