Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1739 vulnerabilities reference this CWE, most recent first.

GHSA-R942-7MJ9-P58W

Vulnerability from github – Published: 2026-02-12 00:31 – Updated: 2026-02-12 18:30
VLAI
Details

The issue was resolved by sanitizing logging. This issue is fixed in iOS 26.3 and iPadOS 26.3, iOS 18.7.5 and iPadOS 18.7.5. An app may be able to enumerate a user's installed apps.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20663"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-11T23:16:08Z",
    "severity": "LOW"
  },
  "details": "The issue was resolved by sanitizing logging. This issue is fixed in iOS 26.3 and iPadOS 26.3, iOS 18.7.5 and iPadOS 18.7.5. An app may be able to enumerate a user\u0027s installed apps.",
  "id": "GHSA-r942-7mj9-p58w",
  "modified": "2026-02-12T18:30:23Z",
  "published": "2026-02-12T00:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20663"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126346"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126347"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R96M-RQ4F-96V2

Vulnerability from github – Published: 2021-12-22 00:00 – Updated: 2022-10-16 19:00
VLAI
Details

Dell EMC Avamar versions 18.2,19.1,19.2,19.3,19.4 contain a plain-text password storage vulnerability. A high privileged user could potentially exploit this vulnerability, leading to a complete outage.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36318"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522",
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-21T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Dell EMC Avamar versions 18.2,19.1,19.2,19.3,19.4 contain a plain-text password storage vulnerability. A high privileged user could potentially exploit this vulnerability, leading to a complete outage.",
  "id": "GHSA-r96m-rq4f-96v2",
  "modified": "2022-10-16T19:00:30Z",
  "published": "2021-12-22T00:00:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36318"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202210-09"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/000193369"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R96X-G4H4-74Q6

Vulnerability from github – Published: 2022-05-13 01:08 – Updated: 2022-05-13 01:08
VLAI
Details

An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-8944"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-20T03:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.",
  "id": "GHSA-r96x-g4h4-74q6",
  "modified": "2022-05-13T01:08:17Z",
  "published": "2022-05-13T01:08:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8944"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OctopusDeploy/Issues/issues/5314"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OctopusDeploy/Issues/issues/5315"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R9RQ-9R78-P9GM

Vulnerability from github – Published: 2023-05-10 15:30 – Updated: 2024-04-04 04:00
VLAI
Details

Insertion of sensitive information into log file in the Open CAS software for Linux maintained by Intel before version 22.6.2 may allow a privileged user to potentially enable information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22447"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-10T14:15:28Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of sensitive information into log file in the Open CAS software for Linux maintained by Intel before version 22.6.2 may allow a privileged user to potentially enable information disclosure via local access.",
  "id": "GHSA-r9rq-9r78-p9gm",
  "modified": "2024-04-04T04:00:33Z",
  "published": "2023-05-10T15:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22447"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00827.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RC54-2G2C-G36G

Vulnerability from github – Published: 2025-10-22 19:55 – Updated: 2025-10-23 17:40
VLAI
Summary
OpenBao and Vault Leak []byte Fields in Audit Logs
Details

Impact

OpenBao's audit log did not appropriately redact fields when relevant subsystems sent []byte response parameters rather than strings. This includes, but is not limited to:

  • sys/raw with use of encoding=base64, all data would be emitted unredacted to the audit log.
  • Transit, when performing a signing operation with a derived Ed25519 key, would emit public keys to the audit log.

Third-party plugins may be affected.

This issue has been present since HashiCorp Vault and continues to impact Vault as of v1.20.4.

Patches

OpenBao v2.4.2 will patch this issue.

Workarounds

If users do not use the above functionality, they are not impacted. To prohibit the use of sys/raw globally, ensure raw_storage_endpoint=false is set or missing from the server configuration.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20251022165510-cc2c476bac66"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62705"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-22T19:55:40Z",
    "nvd_published_at": "2025-10-22T22:15:35Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nOpenBao\u0027s audit log did not appropriately redact fields when relevant subsystems sent `[]byte` response parameters rather than `string`s. This includes, but is not limited to:\n\n- `sys/raw` with use of `encoding=base64`, all data would be emitted unredacted to the audit log.\n- Transit, when performing a signing operation with a derived Ed25519 key, would emit public keys to the audit log.\n\nThird-party plugins may be affected.\n\nThis issue has been present since HashiCorp Vault and continues to impact Vault as of v1.20.4. \n\n### Patches\n\nOpenBao v2.4.2 will patch this issue.\n\n### Workarounds\n\nIf users do not use the above functionality, they are not impacted. To prohibit the use of `sys/raw` globally, ensure `raw_storage_endpoint=false` is set or missing from the server configuration.",
  "id": "GHSA-rc54-2g2c-g36g",
  "modified": "2025-10-23T17:40:56Z",
  "published": "2025-10-22T19:55:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-rc54-2g2c-g36g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62705"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/commit/cc2c476bac66e1d94776c2629793daec3af625f8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openbao/openbao"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenBao and Vault Leak []byte Fields in Audit Logs "
}

GHSA-RC5C-4C27-CG98

Vulnerability from github – Published: 2022-05-12 00:01 – Updated: 2022-05-20 00:00
VLAI
Details

Under certain conditions, the SAP Host Agent logfile shows information which would otherwise be restricted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28774"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-532",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-11T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Under certain conditions, the SAP Host Agent logfile shows information which would otherwise be restricted.",
  "id": "GHSA-rc5c-4c27-cg98",
  "modified": "2022-05-20T00:00:40Z",
  "published": "2022-05-12T00:01:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28774"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3158188"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RCQJ-3FMP-5CQX

Vulnerability from github – Published: 2025-04-09 12:30 – Updated: 2025-07-15 23:07
VLAI
Summary
Apache Pulsar Kafka Connector Logs Sensitive Information in Application Logs
Details

Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs.

This vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability's impact is limited by the fact that an attacker would need access to the application logs to exploit this issue.

This issue affects Apache Pulsar IO's Apache Kafka connectors in all versions before 3.0.11, 3.3.6, and 4.0.4.

3.0.x version users should upgrade to at least 3.0.11.

3.3.x version users should upgrade to at least 3.3.6.

4.0.x version users should upgrade to at least 4.0.4.

Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.pulsar:pulsar-io-kafka-connect-adaptor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.pulsar:pulsar-io-kafka-connect-adaptor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.3.0"
            },
            {
              "fixed": "3.3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.pulsar:pulsar-io-kafka-connect-adaptor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.pulsar:pulsar-io-kafka"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.pulsar:pulsar-io-kafka"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.3.0"
            },
            {
              "fixed": "3.3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.pulsar:pulsar-io-kafka"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-30677"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-10T12:41:56Z",
    "nvd_published_at": "2025-04-09T12:15:15Z",
    "severity": "MODERATE"
  },
  "details": "Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs.\n\n\nThis vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability\u0027s impact is limited by the fact that an attacker would need access to the application logs to exploit this issue.\n\nThis issue affects Apache Pulsar IO\u0027s Apache Kafka connectors in all versions before 3.0.11, 3.3.6, and 4.0.4.\n\n\n3.0.x version users should upgrade to at least 3.0.11.\n\n3.3.x version users should upgrade to at least 3.3.6.\n\n4.0.x version users should upgrade to at least 4.0.4.\n\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.",
  "id": "GHSA-rcqj-3fmp-5cqx",
  "modified": "2025-07-15T23:07:45Z",
  "published": "2025-04-09T12:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30677"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/pulsar/pull/24128"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/pulsar"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/zv5fwwrh374r1p5cmksxcd40ssxxko3d"
    },
    {
      "type": "WEB",
      "url": "https://pulsar.apache.org/security"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/04/09/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Pulsar Kafka Connector Logs Sensitive Information in Application Logs"
}

GHSA-RCW7-PQFP-735X

Vulnerability from github – Published: 2025-09-05 21:02 – Updated: 2025-09-05 21:02
VLAI
Summary
secrets-store-sync-controller discloses service account tokens in logs
Details

Hello Kubernetes Community,

A security issue was discovered in secrets-store-sync-controller where an actor with access to the controller logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when there is a specific error marshaling the parameters sent to the providers.

Am I vulnerable?

To check if tokens are being logged, examine the manager container log:

kubectl logs -l 'app.kubernetes.io/part-of=secrets-store-sync-controller' -c manager -f | grep --line-buffered "csi.storage.k8s.io/serviceAccount.tokens"

Affected Versions

  • secrets-store-sync-controller < v0.0.2

How do I mitigate this vulnerability?

Upgrade to secrets-store-sync-controller v0.0.2+

Fixed Versions

  • secrets-store-sync-controller >= v0.0.2

Detection

Examine cloud provider logs for unexpected token exchanges, as well as unexpected access to cloud vault secrets.

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

Acknowledgements

This vulnerability was reported by Reem Rotenberg and Kas Dekel from Microsoft.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "sigs.k8s.io/secrets-store-sync-controller"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-7445"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-05T21:02:44Z",
    "nvd_published_at": "2025-09-05T03:15:31Z",
    "severity": "MODERATE"
  },
  "details": "Hello Kubernetes Community,\n\nA security issue was discovered in secrets-store-sync-controller where an actor with access to the controller logs could observe service account tokens.  These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions.  Tokens are only logged when there is a specific error marshaling the `parameters` sent to the providers.\n\n### Am I vulnerable?\n\nTo check if tokens are being logged, examine the manager container log:\n\n```bash\nkubectl logs -l \u0027app.kubernetes.io/part-of=secrets-store-sync-controller\u0027 -c manager -f | grep --line-buffered \"csi.storage.k8s.io/serviceAccount.tokens\"\n```\n\n### Affected Versions\n\n- secrets-store-sync-controller \u003c v0.0.2\n\n### How do I mitigate this vulnerability?\n\nUpgrade to secrets-store-sync-controller v0.0.2+\n\n### Fixed Versions\n\n- secrets-store-sync-controller \u003e= v0.0.2\n\n\n### Detection\n\nExamine cloud provider logs for unexpected token exchanges, as well as unexpected access to cloud vault secrets.\n\nIf you find evidence that this vulnerability has been exploited, please contact [security@kubernetes.io](https://groups.google.com/)\n\n### Acknowledgements\n\nThis vulnerability was reported by Reem Rotenberg and [Kas Dekel](https://github.com/privmickas) from Microsoft.",
  "id": "GHSA-rcw7-pqfp-735x",
  "modified": "2025-09-05T21:02:44Z",
  "published": "2025-09-05T21:02:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes-sigs/secrets-store-sync-controller/security/advisories/GHSA-rcw7-pqfp-735x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7445"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/issues/133897"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kubernetes-sigs/secrets-store-sync-controller"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/kubernetes-security-announce/c/NP7cQvQ1aGA"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "secrets-store-sync-controller discloses service account tokens in logs"
}

GHSA-RCWX-27FJ-MXF2

Vulnerability from github – Published: 2025-09-10 18:30 – Updated: 2025-09-10 18:30
VLAI
Details

Dell PowerProtect Data Manager, Hyper-V, version(s) 19.19 and 19.20, contain(s) an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-43888"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-10T16:15:37Z",
    "severity": "HIGH"
  },
  "details": "Dell PowerProtect Data Manager, Hyper-V, version(s) 19.19 and 19.20, contain(s) an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access.",
  "id": "GHSA-rcwx-27fj-mxf2",
  "modified": "2025-09-10T18:30:15Z",
  "published": "2025-09-10T18:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43888"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000367456/dsa-2025-326-security-update-for-dell-powerprotect-data-manager-multiple-security-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RCXF-WCPQ-J795

Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14
VLAI
Details

On all versions of Guided Configuration before 8.0.0, when a configuration that contains secure properties is created and deployed from Access Guided Configuration (AGC), secure properties are logged in restnoded logs. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-23046"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-14T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "On all versions of Guided Configuration before 8.0.0, when a configuration that contains secure properties is created and deployed from Access Guided Configuration (AGC), secure properties are logged in restnoded logs. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
  "id": "GHSA-rcxf-wcpq-j795",
  "modified": "2022-05-24T19:14:24Z",
  "published": "2022-05-24T19:14:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23046"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K70652532"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.