CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1739 vulnerabilities reference this CWE, most recent first.
GHSA-Q664-XXJG-CM3G
Vulnerability from github – Published: 2022-05-13 01:15 – Updated: 2022-05-13 01:15On Juniper ATP, the API key and the device key are logged in a file readable by authenticated local users. These keys are used for performing critical operations on the WebUI interface. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.
{
"affected": [],
"aliases": [
"CVE-2019-0004"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-15T21:29:00Z",
"severity": "MODERATE"
},
"details": "On Juniper ATP, the API key and the device key are logged in a file readable by authenticated local users. These keys are used for performing critical operations on the WebUI interface. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.",
"id": "GHSA-q664-xxjg-cm3g",
"modified": "2022-05-13T01:15:19Z",
"published": "2022-05-13T01:15:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0004"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA10918"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q683-8468-R6H6
Vulnerability from github – Published: 2026-06-26 21:00 – Updated: 2026-06-26 21:00Impact
Webauthn\Bundle\Security\Http\Authenticator\WebauthnAuthenticator logs the full Symfony\Component\HttpFoundation\Request object inside the log context of both onAuthenticationSuccess() and onAuthenticationFailure() at INFO level:
$this->logger->info('User has been authenticated successfully with Webauthn.', [
'request' => $request,
'firewallName' => $firewallName,
'identifier' => $token->getUserIdentifier(),
]);
$this->logger->info('Webauthn authentication request failed.', [
'request' => $request,
'exception' => $exception,
]);
Request::__toString() returns the raw HTTP message, including every request header. As soon as the configured logger normalises or stringifies the context (default behaviour for LineFormatter, JsonFormatter via NormalizerFormatter, etc.), sensitive headers such as Cookie (session identifier), Authorization and any custom auth header are written to the log stream in clear text.
Applications that forward logs to centralised platforms (ELK, Splunk, Datadog and similar) are particularly exposed: log access is typically broader than application access, which can allow log readers to hijack authenticated sessions.
Affected versions
Every release prior to 5.3.4 is affected.
Patches
The fix removes the full Request object from the log context and keeps only non-sensitive fields (request path, method, firewall name, user identifier). It is shipped in 5.3.4. Older branches will not receive a backport; users on those branches should upgrade to 5.3.4+ or apply one of the workarounds below.
Workarounds
Until the upgrade is applied, projects can:
- Raise the minimum log level for the WebAuthn authenticator above INFO so these two log records are not emitted in production.
- Configure their Monolog processor/formatter to strip the
requestkey from the context of these records before they are written.
Credit
Reported by Kay Joosten (Dawn Technology), maintainer of Stepup-Webauthn.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "web-auth/webauthn-symfony-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.3.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T21:00:49Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Impact\n\n`Webauthn\\Bundle\\Security\\Http\\Authenticator\\WebauthnAuthenticator` logs the full `Symfony\\Component\\HttpFoundation\\Request` object inside the log context of both `onAuthenticationSuccess()` and `onAuthenticationFailure()` at INFO level:\n\n```php\n$this-\u003elogger-\u003einfo(\u0027User has been authenticated successfully with Webauthn.\u0027, [\n \u0027request\u0027 =\u003e $request,\n \u0027firewallName\u0027 =\u003e $firewallName,\n \u0027identifier\u0027 =\u003e $token-\u003egetUserIdentifier(),\n]);\n\n$this-\u003elogger-\u003einfo(\u0027Webauthn authentication request failed.\u0027, [\n \u0027request\u0027 =\u003e $request,\n \u0027exception\u0027 =\u003e $exception,\n]);\n```\n\n`Request::__toString()` returns the raw HTTP message, including every request header. As soon as the configured logger normalises or stringifies the context (default behaviour for `LineFormatter`, `JsonFormatter` via `NormalizerFormatter`, etc.), sensitive headers such as `Cookie` (session identifier), `Authorization` and any custom auth header are written to the log stream in clear text.\n\nApplications that forward logs to centralised platforms (ELK, Splunk, Datadog and similar) are particularly exposed: log access is typically broader than application access, which can allow log readers to hijack authenticated sessions.\n\n## Affected versions\n\nEvery release prior to 5.3.4 is affected.\n\n## Patches\n\nThe fix removes the full `Request` object from the log context and keeps only non-sensitive fields (request path, method, firewall name, user identifier). It is shipped in 5.3.4. Older branches will not receive a backport; users on those branches should upgrade to 5.3.4+ or apply one of the workarounds below.\n\n## Workarounds\n\nUntil the upgrade is applied, projects can:\n\n1. Raise the minimum log level for the WebAuthn authenticator above INFO so these two log records are not emitted in production.\n2. Configure their Monolog processor/formatter to strip the `request` key from the context of these records before they are written.\n\n## Credit\n\nReported by Kay Joosten (Dawn Technology), maintainer of [Stepup-Webauthn](https://github.com/OpenConext/Stepup-Webauthn).",
"id": "GHSA-q683-8468-r6h6",
"modified": "2026-06-26T21:00:49Z",
"published": "2026-06-26T21:00:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-q683-8468-r6h6"
},
{
"type": "PACKAGE",
"url": "https://github.com/web-auth/webauthn-framework"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "WebauthnAuthenticator leaks sensitive HTTP headers through INFO-level logs"
}
GHSA-Q6FP-96RM-R5MQ
Vulnerability from github – Published: 2024-01-05 12:30 – Updated: 2026-04-28 21:33Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Aaron J 404 Solution.This issue affects 404 Solution: from n/a through 2.33.0.
{
"affected": [],
"aliases": [
"CVE-2023-52146"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-05T11:15:10Z",
"severity": "MODERATE"
},
"details": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Aaron J 404 Solution.This issue affects 404 Solution: from n/a through 2.33.0.",
"id": "GHSA-q6fp-96rm-r5mq",
"modified": "2026-04-28T21:33:45Z",
"published": "2024-01-05T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52146"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/404-solution/wordpress-404-solution-plugin-2-33-0-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q6FR-25PH-FPVF
Vulnerability from github – Published: 2026-06-29 15:32 – Updated: 2026-06-29 15:32HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step.
{
"affected": [],
"aliases": [
"CVE-2026-56457"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-29T14:16:58Z",
"severity": "MODERATE"
},
"details": "HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step.",
"id": "GHSA-q6fr-25ph-fpvf",
"modified": "2026-06-29T15:32:06Z",
"published": "2026-06-29T15:32:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56457"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131694"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q6HQ-Q4XR-93FP
Vulnerability from github – Published: 2022-01-15 00:01 – Updated: 2022-01-22 00:02SAP Business One - version 10.0, extended log stores information that can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
{
"affected": [],
"aliases": [
"CVE-2021-44234"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-14T20:15:00Z",
"severity": "MODERATE"
},
"details": "SAP Business One - version 10.0, extended log stores information that can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.",
"id": "GHSA-q6hq-q4xr-93fp",
"modified": "2022-01-22T00:02:03Z",
"published": "2022-01-15T00:01:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44234"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3106528"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q722-MHCX-9M8W
Vulnerability from github – Published: 2025-01-08 03:30 – Updated: 2025-01-08 03:30IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file under specific conditions.
{
"affected": [],
"aliases": [
"CVE-2024-40679"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-08T01:15:06Z",
"severity": "MODERATE"
},
"details": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file under specific conditions.",
"id": "GHSA-q722-mhcx-9m8w",
"modified": "2025-01-08T03:30:23Z",
"published": "2025-01-08T03:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40679"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7175957"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q77Q-33V2-M8HR
Vulnerability from github – Published: 2024-07-31 18:32 – Updated: 2024-07-31 18:32A vulnerability in Cato Networks SDP Client on Windows allows the insertion of sensitive information into the log file, which can lead to an account takeover. However, the attack requires bypassing protections on modifying the tunnel token on a the attacker's system.This issue affects SDP Client: before 5.10.34.
{
"affected": [],
"aliases": [
"CVE-2024-6977"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-31T17:15:11Z",
"severity": "MODERATE"
},
"details": "A vulnerability in Cato Networks SDP Client on Windows allows the insertion of sensitive information into the log file, which can lead to an account takeover. However, the attack requires bypassing protections on modifying the tunnel token on a the attacker\u0027s system.This issue affects SDP Client: before 5.10.34.",
"id": "GHSA-q77q-33v2-m8hr",
"modified": "2024-07-31T18:32:01Z",
"published": "2024-07-31T18:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6977"
},
{
"type": "WEB",
"url": "https://support.catonetworks.com/hc/en-us/articles/19766795729437-CVE-2024-6977-Windows-SDP-Client-Sensitive-data-in-trace-logs-can-lead-to-account-takeover"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q87W-HJGF-6VFW
Vulnerability from github – Published: 2024-01-29 12:30 – Updated: 2024-01-29 12:30Insertion of debug information into log file during building the elastic search index allows reading of sensitive information from articles.This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.
{
"affected": [],
"aliases": [
"CVE-2024-23791"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-29T10:15:08Z",
"severity": "MODERATE"
},
"details": "Insertion of debug information into log file during building the elastic search index allows reading of sensitive information from articles.This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.\n\n",
"id": "GHSA-q87w-hjgf-6vfw",
"modified": "2024-01-29T12:30:20Z",
"published": "2024-01-29T12:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23791"
},
{
"type": "WEB",
"url": "https://otrs.com/release-notes/otrs-security-advisory-2024-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q8CJ-789H-VG24
Vulnerability from github – Published: 2026-05-28 17:52 – Updated: 2026-05-28 17:52Impact
OpenBao's inline auth functionality incorrectly redacted audit log entries, resulting in non-auth headers being removed and auth-related headers being retained in cleartext. This requires an attacker to compromise access to the audit device. Operators should review leaked source authentication material and rotate it as appropriate.
Patches
This is fixed in OpenBao v2.5.4.
Resources
https://github.com/openbao/openbao/issues/3074
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.5.3"
},
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46358"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-28T17:52:43Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nOpenBao\u0027s inline auth functionality incorrectly redacted audit log entries, resulting in non-auth headers being removed and auth-related headers being retained in cleartext. This requires an attacker to compromise access to the audit device. Operators should review leaked source authentication material and rotate it as appropriate.\n\n### Patches\n\nThis is fixed in OpenBao v2.5.4.\n\n### Resources\n\nhttps://github.com/openbao/openbao/issues/3074",
"id": "GHSA-q8cj-789h-vg24",
"modified": "2026-05-28T17:52:43Z",
"published": "2026-05-28T17:52:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/security/advisories/GHSA-q8cj-789h-vg24"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/issues/3074"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/pull/3076"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/commit/131c6966af4dfb4e1906703436eecdb8f2a3e9df"
},
{
"type": "PACKAGE",
"url": "https://github.com/openbao/openbao"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/releases/tag/v2.5.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenBao\u0027s Inline Auth Incorrectly Redacted Headers"
}
GHSA-Q8P7-W3VH-WG45
Vulnerability from github – Published: 2022-05-14 01:35 – Updated: 2022-05-14 01:35The Coolpad Canvas device with a build fingerprint of Coolpad/cp3636a/cp3636a:7.0/NRD90M/093031423:user/release-keys contains a platform app with a package name of com.qualcomm.qti.modemtestmode (versionCode=24, versionName=7.0) that contains an exported service app component named com.qualcomm.qti.modemtestmode.MbnTestService that allows any app on the device to set certain system properties as the com.android.phone user. When an app sets the persist.service.logr.enable system property to a value of 1, an app with a package name of com.yulong.logredirect (versionCode=20160622, versionName=5.25_20160622_01) will start writing the system-wide logcat log, kernel log, and a tcpdump network traffic capture to external storage. Furthermore, on the Coolpad Canvas device, the com.android.phone app writes the destination phone number and body of the text message for outgoing text messages. A notification when logging can be avoided if the log is enabled after device startup and disabled prior to device shutdown by setting the system properties using the exported interface of the com.qualcomm.qti.modemtestmode app. Any app with the READ_EXTERNAL_STORAGE permission can access the log files.
{
"affected": [],
"aliases": [
"CVE-2018-15004"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-28T21:29:00Z",
"severity": "MODERATE"
},
"details": "The Coolpad Canvas device with a build fingerprint of Coolpad/cp3636a/cp3636a:7.0/NRD90M/093031423:user/release-keys contains a platform app with a package name of com.qualcomm.qti.modemtestmode (versionCode=24, versionName=7.0) that contains an exported service app component named com.qualcomm.qti.modemtestmode.MbnTestService that allows any app on the device to set certain system properties as the com.android.phone user. When an app sets the persist.service.logr.enable system property to a value of 1, an app with a package name of com.yulong.logredirect (versionCode=20160622, versionName=5.25_20160622_01) will start writing the system-wide logcat log, kernel log, and a tcpdump network traffic capture to external storage. Furthermore, on the Coolpad Canvas device, the com.android.phone app writes the destination phone number and body of the text message for outgoing text messages. A notification when logging can be avoided if the log is enabled after device startup and disabled prior to device shutdown by setting the system properties using the exported interface of the com.qualcomm.qti.modemtestmode app. Any app with the READ_EXTERNAL_STORAGE permission can access the log files.",
"id": "GHSA-q8p7-w3vh-wg45",
"modified": "2022-05-14T01:35:49Z",
"published": "2022-05-14T01:35:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15004"
},
{
"type": "WEB",
"url": "https://www.kryptowire.com/portal/android-firmware-defcon-2018"
},
{
"type": "WEB",
"url": "https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.