CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1739 vulnerabilities reference this CWE, most recent first.
GHSA-R942-7MJ9-P58W
Vulnerability from github – Published: 2026-02-12 00:31 – Updated: 2026-02-12 18:30The issue was resolved by sanitizing logging. This issue is fixed in iOS 26.3 and iPadOS 26.3, iOS 18.7.5 and iPadOS 18.7.5. An app may be able to enumerate a user's installed apps.
{
"affected": [],
"aliases": [
"CVE-2026-20663"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T23:16:08Z",
"severity": "LOW"
},
"details": "The issue was resolved by sanitizing logging. This issue is fixed in iOS 26.3 and iPadOS 26.3, iOS 18.7.5 and iPadOS 18.7.5. An app may be able to enumerate a user\u0027s installed apps.",
"id": "GHSA-r942-7mj9-p58w",
"modified": "2026-02-12T18:30:23Z",
"published": "2026-02-12T00:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20663"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126346"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126347"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R96M-RQ4F-96V2
Vulnerability from github – Published: 2021-12-22 00:00 – Updated: 2022-10-16 19:00Dell EMC Avamar versions 18.2,19.1,19.2,19.3,19.4 contain a plain-text password storage vulnerability. A high privileged user could potentially exploit this vulnerability, leading to a complete outage.
{
"affected": [],
"aliases": [
"CVE-2021-36318"
],
"database_specific": {
"cwe_ids": [
"CWE-522",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-21T17:15:00Z",
"severity": "MODERATE"
},
"details": "Dell EMC Avamar versions 18.2,19.1,19.2,19.3,19.4 contain a plain-text password storage vulnerability. A high privileged user could potentially exploit this vulnerability, leading to a complete outage.",
"id": "GHSA-r96m-rq4f-96v2",
"modified": "2022-10-16T19:00:30Z",
"published": "2021-12-22T00:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36318"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202210-09"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000193369"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R96X-G4H4-74Q6
Vulnerability from github – Published: 2022-05-13 01:08 – Updated: 2022-05-13 01:08An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.
{
"affected": [],
"aliases": [
"CVE-2019-8944"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-20T03:29:00Z",
"severity": "MODERATE"
},
"details": "An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.",
"id": "GHSA-r96x-g4h4-74q6",
"modified": "2022-05-13T01:08:17Z",
"published": "2022-05-13T01:08:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8944"
},
{
"type": "WEB",
"url": "https://github.com/OctopusDeploy/Issues/issues/5314"
},
{
"type": "WEB",
"url": "https://github.com/OctopusDeploy/Issues/issues/5315"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R9RQ-9R78-P9GM
Vulnerability from github – Published: 2023-05-10 15:30 – Updated: 2024-04-04 04:00Insertion of sensitive information into log file in the Open CAS software for Linux maintained by Intel before version 22.6.2 may allow a privileged user to potentially enable information disclosure via local access.
{
"affected": [],
"aliases": [
"CVE-2023-22447"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-10T14:15:28Z",
"severity": "MODERATE"
},
"details": "Insertion of sensitive information into log file in the Open CAS software for Linux maintained by Intel before version 22.6.2 may allow a privileged user to potentially enable information disclosure via local access.",
"id": "GHSA-r9rq-9r78-p9gm",
"modified": "2024-04-04T04:00:33Z",
"published": "2023-05-10T15:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22447"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00827.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RC54-2G2C-G36G
Vulnerability from github – Published: 2025-10-22 19:55 – Updated: 2025-10-23 17:40Impact
OpenBao's audit log did not appropriately redact fields when relevant subsystems sent []byte response parameters rather than strings. This includes, but is not limited to:
sys/rawwith use ofencoding=base64, all data would be emitted unredacted to the audit log.- Transit, when performing a signing operation with a derived Ed25519 key, would emit public keys to the audit log.
Third-party plugins may be affected.
This issue has been present since HashiCorp Vault and continues to impact Vault as of v1.20.4.
Patches
OpenBao v2.4.2 will patch this issue.
Workarounds
If users do not use the above functionality, they are not impacted. To prohibit the use of sys/raw globally, ensure raw_storage_endpoint=false is set or missing from the server configuration.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20251022165510-cc2c476bac66"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62705"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-22T19:55:40Z",
"nvd_published_at": "2025-10-22T22:15:35Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nOpenBao\u0027s audit log did not appropriately redact fields when relevant subsystems sent `[]byte` response parameters rather than `string`s. This includes, but is not limited to:\n\n- `sys/raw` with use of `encoding=base64`, all data would be emitted unredacted to the audit log.\n- Transit, when performing a signing operation with a derived Ed25519 key, would emit public keys to the audit log.\n\nThird-party plugins may be affected.\n\nThis issue has been present since HashiCorp Vault and continues to impact Vault as of v1.20.4. \n\n### Patches\n\nOpenBao v2.4.2 will patch this issue.\n\n### Workarounds\n\nIf users do not use the above functionality, they are not impacted. To prohibit the use of `sys/raw` globally, ensure `raw_storage_endpoint=false` is set or missing from the server configuration.",
"id": "GHSA-rc54-2g2c-g36g",
"modified": "2025-10-23T17:40:56Z",
"published": "2025-10-22T19:55:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/security/advisories/GHSA-rc54-2g2c-g36g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62705"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/commit/cc2c476bac66e1d94776c2629793daec3af625f8"
},
{
"type": "PACKAGE",
"url": "https://github.com/openbao/openbao"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenBao and Vault Leak []byte Fields in Audit Logs "
}
GHSA-RC5C-4C27-CG98
Vulnerability from github – Published: 2022-05-12 00:01 – Updated: 2022-05-20 00:00Under certain conditions, the SAP Host Agent logfile shows information which would otherwise be restricted.
{
"affected": [],
"aliases": [
"CVE-2022-28774"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-11T15:15:00Z",
"severity": "MODERATE"
},
"details": "Under certain conditions, the SAP Host Agent logfile shows information which would otherwise be restricted.",
"id": "GHSA-rc5c-4c27-cg98",
"modified": "2022-05-20T00:00:40Z",
"published": "2022-05-12T00:01:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28774"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3158188"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RCQJ-3FMP-5CQX
Vulnerability from github – Published: 2025-04-09 12:30 – Updated: 2025-07-15 23:07Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs.
This vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability's impact is limited by the fact that an attacker would need access to the application logs to exploit this issue.
This issue affects Apache Pulsar IO's Apache Kafka connectors in all versions before 3.0.11, 3.3.6, and 4.0.4.
3.0.x version users should upgrade to at least 3.0.11.
3.3.x version users should upgrade to at least 3.3.6.
4.0.x version users should upgrade to at least 4.0.4.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.pulsar:pulsar-io-kafka-connect-adaptor"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.pulsar:pulsar-io-kafka-connect-adaptor"
},
"ranges": [
{
"events": [
{
"introduced": "3.3.0"
},
{
"fixed": "3.3.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.pulsar:pulsar-io-kafka-connect-adaptor"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.pulsar:pulsar-io-kafka"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.pulsar:pulsar-io-kafka"
},
"ranges": [
{
"events": [
{
"introduced": "3.3.0"
},
{
"fixed": "3.3.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.pulsar:pulsar-io-kafka"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-30677"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-10T12:41:56Z",
"nvd_published_at": "2025-04-09T12:15:15Z",
"severity": "MODERATE"
},
"details": "Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs.\n\n\nThis vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability\u0027s impact is limited by the fact that an attacker would need access to the application logs to exploit this issue.\n\nThis issue affects Apache Pulsar IO\u0027s Apache Kafka connectors in all versions before 3.0.11, 3.3.6, and 4.0.4.\n\n\n3.0.x version users should upgrade to at least 3.0.11.\n\n3.3.x version users should upgrade to at least 3.3.6.\n\n4.0.x version users should upgrade to at least 4.0.4.\n\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.",
"id": "GHSA-rcqj-3fmp-5cqx",
"modified": "2025-07-15T23:07:45Z",
"published": "2025-04-09T12:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30677"
},
{
"type": "WEB",
"url": "https://github.com/apache/pulsar/pull/24128"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/pulsar"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/zv5fwwrh374r1p5cmksxcd40ssxxko3d"
},
{
"type": "WEB",
"url": "https://pulsar.apache.org/security"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/04/09/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Apache Pulsar Kafka Connector Logs Sensitive Information in Application Logs"
}
GHSA-RCW7-PQFP-735X
Vulnerability from github – Published: 2025-09-05 21:02 – Updated: 2025-09-05 21:02Hello Kubernetes Community,
A security issue was discovered in secrets-store-sync-controller where an actor with access to the controller logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when there is a specific error marshaling the parameters sent to the providers.
Am I vulnerable?
To check if tokens are being logged, examine the manager container log:
kubectl logs -l 'app.kubernetes.io/part-of=secrets-store-sync-controller' -c manager -f | grep --line-buffered "csi.storage.k8s.io/serviceAccount.tokens"
Affected Versions
- secrets-store-sync-controller < v0.0.2
How do I mitigate this vulnerability?
Upgrade to secrets-store-sync-controller v0.0.2+
Fixed Versions
- secrets-store-sync-controller >= v0.0.2
Detection
Examine cloud provider logs for unexpected token exchanges, as well as unexpected access to cloud vault secrets.
If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io
Acknowledgements
This vulnerability was reported by Reem Rotenberg and Kas Dekel from Microsoft.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "sigs.k8s.io/secrets-store-sync-controller"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-7445"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-05T21:02:44Z",
"nvd_published_at": "2025-09-05T03:15:31Z",
"severity": "MODERATE"
},
"details": "Hello Kubernetes Community,\n\nA security issue was discovered in secrets-store-sync-controller where an actor with access to the controller logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when there is a specific error marshaling the `parameters` sent to the providers.\n\n### Am I vulnerable?\n\nTo check if tokens are being logged, examine the manager container log:\n\n```bash\nkubectl logs -l \u0027app.kubernetes.io/part-of=secrets-store-sync-controller\u0027 -c manager -f | grep --line-buffered \"csi.storage.k8s.io/serviceAccount.tokens\"\n```\n\n### Affected Versions\n\n- secrets-store-sync-controller \u003c v0.0.2\n\n### How do I mitigate this vulnerability?\n\nUpgrade to secrets-store-sync-controller v0.0.2+\n\n### Fixed Versions\n\n- secrets-store-sync-controller \u003e= v0.0.2\n\n\n### Detection\n\nExamine cloud provider logs for unexpected token exchanges, as well as unexpected access to cloud vault secrets.\n\nIf you find evidence that this vulnerability has been exploited, please contact [security@kubernetes.io](https://groups.google.com/)\n\n### Acknowledgements\n\nThis vulnerability was reported by Reem Rotenberg and [Kas Dekel](https://github.com/privmickas) from Microsoft.",
"id": "GHSA-rcw7-pqfp-735x",
"modified": "2025-09-05T21:02:44Z",
"published": "2025-09-05T21:02:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kubernetes-sigs/secrets-store-sync-controller/security/advisories/GHSA-rcw7-pqfp-735x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7445"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/133897"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes-sigs/secrets-store-sync-controller"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/NP7cQvQ1aGA"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "secrets-store-sync-controller discloses service account tokens in logs"
}
GHSA-RCWX-27FJ-MXF2
Vulnerability from github – Published: 2025-09-10 18:30 – Updated: 2025-09-10 18:30Dell PowerProtect Data Manager, Hyper-V, version(s) 19.19 and 19.20, contain(s) an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access.
{
"affected": [],
"aliases": [
"CVE-2025-43888"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-10T16:15:37Z",
"severity": "HIGH"
},
"details": "Dell PowerProtect Data Manager, Hyper-V, version(s) 19.19 and 19.20, contain(s) an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access.",
"id": "GHSA-rcwx-27fj-mxf2",
"modified": "2025-09-10T18:30:15Z",
"published": "2025-09-10T18:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43888"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000367456/dsa-2025-326-security-update-for-dell-powerprotect-data-manager-multiple-security-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RCXF-WCPQ-J795
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14On all versions of Guided Configuration before 8.0.0, when a configuration that contains secure properties is created and deployed from Access Guided Configuration (AGC), secure properties are logged in restnoded logs. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2021-23046"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-14T15:15:00Z",
"severity": "MODERATE"
},
"details": "On all versions of Guided Configuration before 8.0.0, when a configuration that contains secure properties is created and deployed from Access Guided Configuration (AGC), secure properties are logged in restnoded logs. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-rcxf-wcpq-j795",
"modified": "2022-05-24T19:14:24Z",
"published": "2022-05-24T19:14:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23046"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K70652532"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.