Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1739 vulnerabilities reference this CWE, most recent first.

GHSA-Q664-XXJG-CM3G

Vulnerability from github – Published: 2022-05-13 01:15 – Updated: 2022-05-13 01:15
VLAI
Details

On Juniper ATP, the API key and the device key are logged in a file readable by authenticated local users. These keys are used for performing critical operations on the WebUI interface. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-0004"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-15T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "On Juniper ATP, the API key and the device key are logged in a file readable by authenticated local users. These keys are used for performing critical operations on the WebUI interface. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.",
  "id": "GHSA-q664-xxjg-cm3g",
  "modified": "2022-05-13T01:15:19Z",
  "published": "2022-05-13T01:15:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0004"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA10918"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q683-8468-R6H6

Vulnerability from github – Published: 2026-06-26 21:00 – Updated: 2026-06-26 21:00
VLAI
Summary
WebauthnAuthenticator leaks sensitive HTTP headers through INFO-level logs
Details

Impact

Webauthn\Bundle\Security\Http\Authenticator\WebauthnAuthenticator logs the full Symfony\Component\HttpFoundation\Request object inside the log context of both onAuthenticationSuccess() and onAuthenticationFailure() at INFO level:

$this->logger->info('User has been authenticated successfully with Webauthn.', [
    'request' => $request,
    'firewallName' => $firewallName,
    'identifier' => $token->getUserIdentifier(),
]);

$this->logger->info('Webauthn authentication request failed.', [
    'request' => $request,
    'exception' => $exception,
]);

Request::__toString() returns the raw HTTP message, including every request header. As soon as the configured logger normalises or stringifies the context (default behaviour for LineFormatter, JsonFormatter via NormalizerFormatter, etc.), sensitive headers such as Cookie (session identifier), Authorization and any custom auth header are written to the log stream in clear text.

Applications that forward logs to centralised platforms (ELK, Splunk, Datadog and similar) are particularly exposed: log access is typically broader than application access, which can allow log readers to hijack authenticated sessions.

Affected versions

Every release prior to 5.3.4 is affected.

Patches

The fix removes the full Request object from the log context and keeps only non-sensitive fields (request path, method, firewall name, user identifier). It is shipped in 5.3.4. Older branches will not receive a backport; users on those branches should upgrade to 5.3.4+ or apply one of the workarounds below.

Workarounds

Until the upgrade is applied, projects can:

  1. Raise the minimum log level for the WebAuthn authenticator above INFO so these two log records are not emitted in production.
  2. Configure their Monolog processor/formatter to strip the request key from the context of these records before they are written.

Credit

Reported by Kay Joosten (Dawn Technology), maintainer of Stepup-Webauthn.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "web-auth/webauthn-symfony-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T21:00:49Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Impact\n\n`Webauthn\\Bundle\\Security\\Http\\Authenticator\\WebauthnAuthenticator` logs the full `Symfony\\Component\\HttpFoundation\\Request` object inside the log context of both `onAuthenticationSuccess()` and `onAuthenticationFailure()` at INFO level:\n\n```php\n$this-\u003elogger-\u003einfo(\u0027User has been authenticated successfully with Webauthn.\u0027, [\n    \u0027request\u0027 =\u003e $request,\n    \u0027firewallName\u0027 =\u003e $firewallName,\n    \u0027identifier\u0027 =\u003e $token-\u003egetUserIdentifier(),\n]);\n\n$this-\u003elogger-\u003einfo(\u0027Webauthn authentication request failed.\u0027, [\n    \u0027request\u0027 =\u003e $request,\n    \u0027exception\u0027 =\u003e $exception,\n]);\n```\n\n`Request::__toString()` returns the raw HTTP message, including every request header. As soon as the configured logger normalises or stringifies the context (default behaviour for `LineFormatter`, `JsonFormatter` via `NormalizerFormatter`, etc.), sensitive headers such as `Cookie` (session identifier), `Authorization` and any custom auth header are written to the log stream in clear text.\n\nApplications that forward logs to centralised platforms (ELK, Splunk, Datadog and similar) are particularly exposed: log access is typically broader than application access, which can allow log readers to hijack authenticated sessions.\n\n## Affected versions\n\nEvery release prior to 5.3.4 is affected.\n\n## Patches\n\nThe fix removes the full `Request` object from the log context and keeps only non-sensitive fields (request path, method, firewall name, user identifier). It is shipped in 5.3.4. Older branches will not receive a backport; users on those branches should upgrade to 5.3.4+ or apply one of the workarounds below.\n\n## Workarounds\n\nUntil the upgrade is applied, projects can:\n\n1. Raise the minimum log level for the WebAuthn authenticator above INFO so these two log records are not emitted in production.\n2. Configure their Monolog processor/formatter to strip the `request` key from the context of these records before they are written.\n\n## Credit\n\nReported by Kay Joosten (Dawn Technology), maintainer of [Stepup-Webauthn](https://github.com/OpenConext/Stepup-Webauthn).",
  "id": "GHSA-q683-8468-r6h6",
  "modified": "2026-06-26T21:00:49Z",
  "published": "2026-06-26T21:00:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-q683-8468-r6h6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/web-auth/webauthn-framework"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "WebauthnAuthenticator leaks sensitive HTTP headers through INFO-level logs"
}

GHSA-Q6FP-96RM-R5MQ

Vulnerability from github – Published: 2024-01-05 12:30 – Updated: 2026-04-28 21:33
VLAI
Details

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Aaron J 404 Solution.This issue affects 404 Solution: from n/a through 2.33.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52146"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-05T11:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Aaron J 404 Solution.This issue affects 404 Solution: from n/a through 2.33.0.",
  "id": "GHSA-q6fp-96rm-r5mq",
  "modified": "2026-04-28T21:33:45Z",
  "published": "2024-01-05T12:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52146"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/404-solution/wordpress-404-solution-plugin-2-33-0-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q6FR-25PH-FPVF

Vulnerability from github – Published: 2026-06-29 15:32 – Updated: 2026-06-29 15:32
VLAI
Details

HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56457"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-29T14:16:58Z",
    "severity": "MODERATE"
  },
  "details": "HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step.",
  "id": "GHSA-q6fr-25ph-fpvf",
  "modified": "2026-06-29T15:32:06Z",
  "published": "2026-06-29T15:32:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56457"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131694"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q6HQ-Q4XR-93FP

Vulnerability from github – Published: 2022-01-15 00:01 – Updated: 2022-01-22 00:02
VLAI
Details

SAP Business One - version 10.0, extended log stores information that can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-14T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "SAP Business One - version 10.0, extended log stores information that can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.",
  "id": "GHSA-q6hq-q4xr-93fp",
  "modified": "2022-01-22T00:02:03Z",
  "published": "2022-01-15T00:01:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44234"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3106528"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-Q722-MHCX-9M8W

Vulnerability from github – Published: 2025-01-08 03:30 – Updated: 2025-01-08 03:30
VLAI
Details

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file under specific conditions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40679"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-08T01:15:06Z",
    "severity": "MODERATE"
  },
  "details": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file under specific conditions.",
  "id": "GHSA-q722-mhcx-9m8w",
  "modified": "2025-01-08T03:30:23Z",
  "published": "2025-01-08T03:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40679"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7175957"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q77Q-33V2-M8HR

Vulnerability from github – Published: 2024-07-31 18:32 – Updated: 2024-07-31 18:32
VLAI
Details

A vulnerability in Cato Networks SDP Client on Windows allows the insertion of sensitive information into the log file, which can lead to an account takeover. However, the attack requires bypassing protections on modifying the tunnel token on a the attacker's system.This issue affects SDP Client: before 5.10.34.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6977"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-31T17:15:11Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in Cato Networks SDP Client on Windows allows the insertion of sensitive information into the log file, which can lead to an account takeover. However, the attack requires bypassing protections on modifying the tunnel token on a the attacker\u0027s system.This issue affects SDP Client: before 5.10.34.",
  "id": "GHSA-q77q-33v2-m8hr",
  "modified": "2024-07-31T18:32:01Z",
  "published": "2024-07-31T18:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6977"
    },
    {
      "type": "WEB",
      "url": "https://support.catonetworks.com/hc/en-us/articles/19766795729437-CVE-2024-6977-Windows-SDP-Client-Sensitive-data-in-trace-logs-can-lead-to-account-takeover"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q87W-HJGF-6VFW

Vulnerability from github – Published: 2024-01-29 12:30 – Updated: 2024-01-29 12:30
VLAI
Details

Insertion of debug information into log file during building the elastic search index allows reading of sensitive information from articles.This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23791"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-29T10:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of debug information into log file during building the elastic search index allows reading of sensitive information from articles.This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.\n\n",
  "id": "GHSA-q87w-hjgf-6vfw",
  "modified": "2024-01-29T12:30:20Z",
  "published": "2024-01-29T12:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23791"
    },
    {
      "type": "WEB",
      "url": "https://otrs.com/release-notes/otrs-security-advisory-2024-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q8CJ-789H-VG24

Vulnerability from github – Published: 2026-05-28 17:52 – Updated: 2026-05-28 17:52
VLAI
Summary
OpenBao's Inline Auth Incorrectly Redacted Headers
Details

Impact

OpenBao's inline auth functionality incorrectly redacted audit log entries, resulting in non-auth headers being removed and auth-related headers being retained in cleartext. This requires an attacker to compromise access to the audit device. Operators should review leaked source authentication material and rotate it as appropriate.

Patches

This is fixed in OpenBao v2.5.4.

Resources

https://github.com/openbao/openbao/issues/3074

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.5.3"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46358"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-28T17:52:43Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nOpenBao\u0027s inline auth functionality incorrectly redacted audit log entries, resulting in non-auth headers being removed and auth-related headers being retained in cleartext. This requires an attacker to compromise access to the audit device. Operators should review leaked source authentication material and rotate it as appropriate.\n\n### Patches\n\nThis is fixed in OpenBao v2.5.4.\n\n### Resources\n\nhttps://github.com/openbao/openbao/issues/3074",
  "id": "GHSA-q8cj-789h-vg24",
  "modified": "2026-05-28T17:52:43Z",
  "published": "2026-05-28T17:52:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-q8cj-789h-vg24"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/issues/3074"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/pull/3076"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/commit/131c6966af4dfb4e1906703436eecdb8f2a3e9df"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openbao/openbao"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/releases/tag/v2.5.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenBao\u0027s Inline Auth Incorrectly Redacted Headers"
}

GHSA-Q8P7-W3VH-WG45

Vulnerability from github – Published: 2022-05-14 01:35 – Updated: 2022-05-14 01:35
VLAI
Details

The Coolpad Canvas device with a build fingerprint of Coolpad/cp3636a/cp3636a:7.0/NRD90M/093031423:user/release-keys contains a platform app with a package name of com.qualcomm.qti.modemtestmode (versionCode=24, versionName=7.0) that contains an exported service app component named com.qualcomm.qti.modemtestmode.MbnTestService that allows any app on the device to set certain system properties as the com.android.phone user. When an app sets the persist.service.logr.enable system property to a value of 1, an app with a package name of com.yulong.logredirect (versionCode=20160622, versionName=5.25_20160622_01) will start writing the system-wide logcat log, kernel log, and a tcpdump network traffic capture to external storage. Furthermore, on the Coolpad Canvas device, the com.android.phone app writes the destination phone number and body of the text message for outgoing text messages. A notification when logging can be avoided if the log is enabled after device startup and disabled prior to device shutdown by setting the system properties using the exported interface of the com.qualcomm.qti.modemtestmode app. Any app with the READ_EXTERNAL_STORAGE permission can access the log files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15004"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-28T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The Coolpad Canvas device with a build fingerprint of Coolpad/cp3636a/cp3636a:7.0/NRD90M/093031423:user/release-keys contains a platform app with a package name of com.qualcomm.qti.modemtestmode (versionCode=24, versionName=7.0) that contains an exported service app component named com.qualcomm.qti.modemtestmode.MbnTestService that allows any app on the device to set certain system properties as the com.android.phone user. When an app sets the persist.service.logr.enable system property to a value of 1, an app with a package name of com.yulong.logredirect (versionCode=20160622, versionName=5.25_20160622_01) will start writing the system-wide logcat log, kernel log, and a tcpdump network traffic capture to external storage. Furthermore, on the Coolpad Canvas device, the com.android.phone app writes the destination phone number and body of the text message for outgoing text messages. A notification when logging can be avoided if the log is enabled after device startup and disabled prior to device shutdown by setting the system properties using the exported interface of the com.qualcomm.qti.modemtestmode app. Any app with the READ_EXTERNAL_STORAGE permission can access the log files.",
  "id": "GHSA-q8p7-w3vh-wg45",
  "modified": "2022-05-14T01:35:49Z",
  "published": "2022-05-14T01:35:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15004"
    },
    {
      "type": "WEB",
      "url": "https://www.kryptowire.com/portal/android-firmware-defcon-2018"
    },
    {
      "type": "WEB",
      "url": "https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.