CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1739 vulnerabilities reference this CWE, most recent first.
GHSA-VV5C-28GH-C3H3
Vulnerability from github – Published: 2025-09-16 00:30 – Updated: 2025-11-03 21:34A logging issue was addressed with improved data redaction. This issue is fixed in tvOS 26, watchOS 26, visionOS 26, macOS Tahoe 26, iOS 26 and iPadOS 26. An app may be able to access sensitive user data.
{
"affected": [],
"aliases": [
"CVE-2025-43303"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T23:15:33Z",
"severity": "MODERATE"
},
"details": "A logging issue was addressed with improved data redaction. This issue is fixed in tvOS 26, watchOS 26, visionOS 26, macOS Tahoe 26, iOS 26 and iPadOS 26. An app may be able to access sensitive user data.",
"id": "GHSA-vv5c-28gh-c3h3",
"modified": "2025-11-03T21:34:29Z",
"published": "2025-09-16T00:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43303"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125108"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125110"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125114"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125115"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125116"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Sep/53"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Sep/57"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Sep/58"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VVGC-XRW5-PCGG
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:26IBM FileNet Content Manager 5.5.2 and 5.5.3 in specific configurations, could log the web service user credentials into a log file that could be accessed by an administrator on the local machine. IBM X-Force ID: 166798.
{
"affected": [],
"aliases": [
"CVE-2019-4572"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-14T14:15:00Z",
"severity": "MODERATE"
},
"details": "IBM FileNet Content Manager 5.5.2 and 5.5.3 in specific configurations, could log the web service user credentials into a log file that could be accessed by an administrator on the local machine. IBM X-Force ID: 166798.",
"id": "GHSA-vvgc-xrw5-pcgg",
"modified": "2024-04-04T02:26:24Z",
"published": "2022-05-24T16:58:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4572"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/166798"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/1072042"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VVP6-473X-332G
Vulnerability from github – Published: 2026-02-09 12:30 – Updated: 2026-02-09 12:30In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs
{
"affected": [],
"aliases": [
"CVE-2026-25846"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-09T11:16:14Z",
"severity": "MODERATE"
},
"details": "In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs",
"id": "GHSA-vvp6-473x-332g",
"modified": "2026-02-09T12:30:22Z",
"published": "2026-02-09T12:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25846"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VVQF-7QF9-P8Q9
Vulnerability from github – Published: 2023-02-24 15:30 – Updated: 2023-03-03 18:30IBM Maximo Application Suite 8.8.0 and 8.9.0 stores potentially sensitive information that could be read by a local user. IBM X-Force ID: 241584.
{
"affected": [],
"aliases": [
"CVE-2022-43923"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-24T15:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Maximo Application Suite 8.8.0 and 8.9.0 stores potentially sensitive information that could be read by a local user. IBM X-Force ID: 241584.",
"id": "GHSA-vvqf-7qf9-p8q9",
"modified": "2023-03-03T18:30:26Z",
"published": "2023-02-24T15:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43923"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/241584"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6957654"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VVVP-PX4M-56P7
Vulnerability from github – Published: 2021-11-30 00:00 – Updated: 2021-12-01 00:00Sensitive information could be logged. The following products are affected: Acronis Agent (Windows, Linux, macOS) before build 27147
{
"affected": [],
"aliases": [
"CVE-2021-34800"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-29T20:15:00Z",
"severity": "HIGH"
},
"details": "Sensitive information could be logged. The following products are affected: Acronis Agent (Windows, Linux, macOS) before build 27147",
"id": "GHSA-vvvp-px4m-56p7",
"modified": "2021-12-01T00:00:43Z",
"published": "2021-11-30T00:00:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34800"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-3145"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VW58-PH65-6RXP
Vulnerability from github – Published: 2025-04-14 15:20 – Updated: 2025-04-14 15:20Summary
Access token from query string is not redacted and is potentially exposed in system logs which may be persisted.
Details
The access token in req.query is not redacted when the LOG_STYLE is set to raw. If these logs are not properly sanitized or protected, an attacker with access to it can potentially gain administrative control, leading to unauthorized data access and manipulation.
PoC
- Set
LOG_LEVEL="raw"in the environment. - Send a request with the
access_tokenin the query string. - Notice that the
access_tokeninreq.queryis not redacted.
Impact
It impacts systems where the LOG_STYLE is set to raw. The access_token in the query could potentially be a long-lived static token. Users with impacted systems should rotate their static tokens if they were provided using query string.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@directus/api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "21.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-47822"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-14T15:20:40Z",
"nvd_published_at": "2024-10-08T18:15:31Z",
"severity": "MODERATE"
},
"details": "### Summary\nAccess token from query string is not redacted and is potentially exposed in system logs which may be persisted.\n\n### Details\nThe access token in `req.query` is not redacted when the `LOG_STYLE` is set to `raw`. If these logs are not properly sanitized or protected, an attacker with access to it can potentially gain administrative control, leading to unauthorized data access and manipulation.\n\n### PoC\n1. Set `LOG_LEVEL=\"raw\"` in the environment.\n2. Send a request with the `access_token` in the query string.\n3. Notice that the `access_token` in `req.query` is not redacted.\n\n### Impact\nIt impacts systems where the `LOG_STYLE` is set to `raw`. The `access_token` in the query could potentially be a long-lived static token. Users with impacted systems should rotate their static tokens if they were provided using query string.",
"id": "GHSA-vw58-ph65-6rxp",
"modified": "2025-04-14T15:20:41Z",
"published": "2025-04-14T15:20:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-vw58-ph65-6rxp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47822"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/commit/2e893f9c576d5a02506272fe2c0bcc12e6c58768"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Directus inserts access token from query string into logs"
}
GHSA-VWCH-G97W-HFG2
Vulnerability from github – Published: 2024-01-03 16:14 – Updated: 2024-07-08 19:36CubeFS was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves.
There is no evidence of this vulnerability being exploited in the wild. It was found during an ongoing security audit carried out by Ada Logics in collaboration with OSTIF and the CNCF.
The issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/cubefs/cubefs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46742"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-03T16:14:54Z",
"nvd_published_at": "2024-01-03T17:15:11Z",
"severity": "MODERATE"
},
"details": "CubeFS was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves. \n\nThere is no evidence of this vulnerability being exploited in the wild. It was found during an ongoing security audit carried out by [Ada Logics](https://adalogics.com/) in collaboration with [OSTIF](https://ostif.org/) and the [CNCF](https://www.cncf.io/).\n\nThe issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS.",
"id": "GHSA-vwch-g97w-hfg2",
"modified": "2024-07-08T19:36:05Z",
"published": "2024-01-03T16:14:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cubefs/cubefs/security/advisories/GHSA-vwch-g97w-hfg2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46742"
},
{
"type": "WEB",
"url": "https://github.com/cubefs/cubefs/commit/8dccce6ac8dff3db44d7e9074094c7303a5ff5dd"
},
{
"type": "PACKAGE",
"url": "https://github.com/cubefs/cubefs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "CubeFS leaks users key in logs"
}
GHSA-VWCJ-7F4R-R8XJ
Vulnerability from github – Published: 2022-05-13 01:45 – Updated: 2022-05-13 01:45In the IMM2 firmware of Lenovo System x servers, remote commands issued by LXCA or other utilities may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated when that remote command is running. Captured command data may contain clear text login information. Authorized users that can capture and export FFDC service log data may have access to these remote commands.
{
"affected": [],
"aliases": [
"CVE-2017-3744"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-20T00:29:00Z",
"severity": "MODERATE"
},
"details": "In the IMM2 firmware of Lenovo System x servers, remote commands issued by LXCA or other utilities may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated when that remote command is running. Captured command data may contain clear text login information. Authorized users that can capture and export FFDC service log data may have access to these remote commands.",
"id": "GHSA-vwcj-7f4r-r8xj",
"modified": "2022-05-13T01:45:51Z",
"published": "2022-05-13T01:45:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3744"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/product_security/LEN-14054"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VWQ9-CMQR-3C8C
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2023-10-26 16:44Configuration as Code Plugin logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked (i.e. replaced with asterisks) in that log to prevent accidental disclosure.
Between Configuration as Code Plugin 0.8-alpha and 1.0, log messages contained values if the values were specified using properties in the YAML file (SECURITY-929).
Since Configuration as Code Plugin 1.1, log messages in Configuration as Code Plugin instead mask values of type Secret, which is used in Jenkins to store the values encrypted on disk. This did not work in many instances, as plugins could use the Secret type to store credentials encrypted on disk while not having the Secret type appear in their Java API.
Configuration as Code Plugin now inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of log message masking. As a workaround, administrators can configure the logging level of the logger io.jenkins.plugins.casc.Attribute to a level that does not include INFO messages. See the logging documentation for details.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.24"
},
"package": {
"ecosystem": "Maven",
"name": "io.jenkins:configuration-as-code"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.25"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10343"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-28T23:08:40Z",
"nvd_published_at": "2019-07-31T13:15:00Z",
"severity": "MODERATE"
},
"details": "Configuration as Code Plugin logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked (i.e. replaced with asterisks) in that log to prevent accidental disclosure.\n\nBetween Configuration as Code Plugin 0.8-alpha and 1.0, log messages contained values if the values were specified using properties in the YAML file (SECURITY-929).\n\nSince Configuration as Code Plugin 1.1, log messages in Configuration as Code Plugin instead mask values of type `Secret`, which is used in Jenkins to store the values encrypted on disk. This did not work in many instances, as plugins could use the `Secret` type to store credentials encrypted on disk while not having the Secret type appear in their Java API.\n\nConfiguration as Code Plugin now inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of log message masking. As a workaround, administrators can configure the logging level of the logger `io.jenkins.plugins.casc.Attribute` to a level that does not include `INFO` messages. See the logging documentation for details.",
"id": "GHSA-vwq9-cmqr-3c8c",
"modified": "2023-10-26T16:44:50Z",
"published": "2022-05-24T16:51:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10343"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/configuration-as-code-plugin/commit/73afe3cb10a723cb06e29c2e5499206aadae3a0d"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1279"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/07/31/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Insertion of Sensitive Information into Log File in Jenkins Configuration as Code Plugin"
}
GHSA-VX3J-9RM2-Q676
Vulnerability from github – Published: 2024-07-09 18:30 – Updated: 2024-07-09 18:30Multiple Exposure of sensitive information to an unauthorized actor vulnerabilities [CWE-200] in FortiAIOps version 2.0.0 may allow an authenticated, remote attacker to retrieve sensitive information from the API endpoint or log files.
{
"affected": [],
"aliases": [
"CVE-2024-27784"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T16:15:05Z",
"severity": "HIGH"
},
"details": "Multiple Exposure of sensitive information to an unauthorized actor vulnerabilities [CWE-200] in FortiAIOps version 2.0.0 may allow an authenticated, remote attacker to retrieve sensitive information from the API endpoint or log files.",
"id": "GHSA-vx3j-9rm2-q676",
"modified": "2024-07-09T18:30:49Z",
"published": "2024-07-09T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27784"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-072"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.