CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1739 vulnerabilities reference this CWE, most recent first.
GHSA-W42R-7HMW-4854
Vulnerability from github – Published: 2026-04-17 09:31 – Updated: 2026-04-17 09:31Dell PowerProtect Data Domain appliances with Data Domain Operating System (DD OS) of Feature Release versions 8.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10 contain an insertion of sensitive information into log file vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to credential exposures. Authentication attempts as the compromised user would need to be authorized by a high privileged DD user. This vulnerability only affects systems with retention lock enabled.
{
"affected": [],
"aliases": [
"CVE-2026-23775"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-17T09:16:05Z",
"severity": "HIGH"
},
"details": "Dell PowerProtect Data Domain appliances with Data Domain Operating System (DD OS) of Feature Release versions 8.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10 contain an insertion of sensitive information into log file vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to credential exposures. Authentication attempts as the compromised user would need to be authorized by a high privileged DD user. This vulnerability only affects systems with retention lock enabled.",
"id": "GHSA-w42r-7hmw-4854",
"modified": "2026-04-17T09:31:20Z",
"published": "2026-04-17T09:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23775"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W4FJ-CCR6-7PCP
Vulnerability from github – Published: 2022-01-06 20:40 – Updated: 2023-09-25 11:29An information disclosure vulnerability was found in Apache NiFi 1.10.0. The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.nifi:nifi-parameter"
},
"ranges": [
{
"events": [
{
"introduced": "1.10.0"
},
{
"fixed": "1.11.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.10.0"
]
}
],
"aliases": [
"CVE-2020-1928"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-29T14:27:46Z",
"nvd_published_at": "2020-01-28T01:15:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability was found in Apache NiFi 1.10.0. The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present.",
"id": "GHSA-w4fj-ccr6-7pcp",
"modified": "2023-09-25T11:29:40Z",
"published": "2022-01-06T20:40:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1928"
},
{
"type": "WEB",
"url": "https://github.com/apache/nifi/pull/3935"
},
{
"type": "WEB",
"url": "https://github.com/apache/nifi/commit/42cb6e84898e66672878f61f99543d6af3c0a567"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/nifi"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e@%3Cusers.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1@%3Cusers.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b@%3Cusers.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://nifi.apache.org/security.html#CVE-2020-1928"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache NiFi Insertion of Sensitive Information into Log File"
}
GHSA-W4PP-3G66-R345
Vulnerability from github – Published: 2023-09-17 12:30 – Updated: 2023-09-17 12:30A vulnerability, which was classified as problematic, has been found in China Unicom TEWA-800G 4.16L.04_CT2015_Yueme. Affected by this issue is some unknown functionality. The manipulation leads to information exposure through debug log file. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. VDB-239870 is the identifier assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-5028"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-17T11:15:07Z",
"severity": "LOW"
},
"details": "A vulnerability, which was classified as problematic, has been found in China Unicom TEWA-800G 4.16L.04_CT2015_Yueme. Affected by this issue is some unknown functionality. The manipulation leads to information exposure through debug log file. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. VDB-239870 is the identifier assigned to this vulnerability.",
"id": "GHSA-w4pp-3g66-r345",
"modified": "2023-09-17T12:30:18Z",
"published": "2023-09-17T12:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5028"
},
{
"type": "WEB",
"url": "https://github.com/pinglan123/-/wiki/%E4%B8%AD%E5%9B%BD%E8%81%94%E9%80%9A%E5%AE%B6%E7%94%A8%E7%BD%91%E5%85%B3"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.239870"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.239870"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W4Q6-FVV5-QW2W
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:37Sony Bravia Smart TV devices allow remote attackers to retrieve the static Wi-Fi password (used when the TV is acting as an access point) by using the Photo Sharing Plus application to execute a backdoor API command, a different vulnerability than CVE-2019-10886.
{
"affected": [],
"aliases": [
"CVE-2019-11336"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-14T14:29:00Z",
"severity": "HIGH"
},
"details": "Sony Bravia Smart TV devices allow remote attackers to retrieve the static Wi-Fi password (used when the TV is acting as an access point) by using the Photo Sharing Plus application to execute a backdoor API command, a different vulnerability than CVE-2019-10886.",
"id": "GHSA-w4q6-fvv5-qw2w",
"modified": "2024-04-04T00:37:37Z",
"published": "2022-05-24T16:45:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11336"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Apr/34"
},
{
"type": "WEB",
"url": "https://www.darkmatter.ae/xen1thlabs/sony-smart-tv-photo-sharing-plus-information-disclosure-vulnerability-xl-19-003"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/152612/Sony-Smart-TV-Information-Disclosure-File-Read.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2019/Apr/32"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108072"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W4RH-FGX7-Q63M
Vulnerability from github – Published: 2025-03-06 06:30 – Updated: 2025-04-09 20:12Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File where the redis password is being logged in the standard logging. If the redis password is passed as an argument, it will be logged and could potentially leak the password.
This is only exploitable if:
1) Logging is enabled;
2) Redis is using password authentication;
3) Those logs are accessible to an attacker, who can reach that redis instance.
Note:
It is recommended that anyone who is running in this configuration should update to the latest version of Ray, then rotate their redis password.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ray"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.43.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-1979"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-06T22:31:54Z",
"nvd_published_at": "2025-03-06T05:15:16Z",
"severity": "MODERATE"
},
"details": "Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File where the redis password is being logged in the standard logging. If the redis password is passed as an argument, it will be logged and could potentially leak the password.\n\nThis is only exploitable if:\n\n1) Logging is enabled;\n\n2) Redis is using password authentication;\n\n3) Those logs are accessible to an attacker, who can reach that redis instance.\n\n**Note:**\n\nIt is recommended that anyone who is running in this configuration should update to the latest version of Ray, then rotate their redis password.",
"id": "GHSA-w4rh-fgx7-q63m",
"modified": "2025-04-09T20:12:59Z",
"published": "2025-03-06T06:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1979"
},
{
"type": "WEB",
"url": "https://github.com/ray-project/ray/issues/50266"
},
{
"type": "WEB",
"url": "https://github.com/ray-project/ray/pull/50409"
},
{
"type": "WEB",
"url": "https://github.com/ray-project/ray/commit/64a2e4010522d60b90c389634f24df77b603d85d"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ray/PYSEC-2025-23.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/ray-project/ray"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-PYTHON-RAY-8745212"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ray vulnerable to Insertion of Sensitive Information into Log File"
}
GHSA-W56X-Q3JG-3926
Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23The Boa server configuration on DASAN H660RM devices with firmware 1.03-0022 logs POST data to the /tmp/boa-temp file, which allows logged-in users to read the credentials of administration web interface users.
{
"affected": [],
"aliases": [
"CVE-2019-9976"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-11T19:29:00Z",
"severity": "HIGH"
},
"details": "The Boa server configuration on DASAN H660RM devices with firmware 1.03-0022 logs POST data to the /tmp/boa-temp file, which allows logged-in users to read the credentials of administration web interface users.",
"id": "GHSA-w56x-q3jg-3926",
"modified": "2022-05-13T01:23:08Z",
"published": "2022-05-13T01:23:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9976"
},
{
"type": "WEB",
"url": "https://blog.burghardt.pl/2019/03/boa-webserver-on-dasan-h660rm-devices-with-firmware-1-03-0022-saves-post-data-including-credentials-to-tmp-boa-temp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W62X-QH57-5M94
Vulnerability from github – Published: 2023-04-20 00:30 – Updated: 2024-04-04 03:36Sensitive data could be exposed in world readable logs of cloud-init before version 22.3 when schema failures are reported. This leak could include hashed passwords.
{
"affected": [],
"aliases": [
"CVE-2022-2084"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-19T22:15:10Z",
"severity": "MODERATE"
},
"details": "Sensitive data could be exposed in world readable logs of cloud-init before version 22.3 when schema failures are reported. This leak could include hashed passwords.",
"id": "GHSA-w62x-qh57-5m94",
"modified": "2024-04-04T03:36:26Z",
"published": "2023-04-20T00:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2084"
},
{
"type": "WEB",
"url": "https://github.com/canonical/cloud-init/commit/4d467b14363d800b2185b89790d57871f11ea88c"
},
{
"type": "WEB",
"url": "https://ubuntu.com/security/notices/USN-5496-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W6F6-8JP4-H3C2
Vulnerability from github – Published: 2024-07-02 21:32 – Updated: 2024-07-02 21:32Under certain circumstances unnecessary user details are provided within system logs
{
"affected": [],
"aliases": [
"CVE-2024-32757"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-02T14:15:12Z",
"severity": "MODERATE"
},
"details": "Under certain circumstances unnecessary user details are provided within system logs",
"id": "GHSA-w6f6-8jp4-h3c2",
"modified": "2024-07-02T21:32:14Z",
"published": "2024-07-02T21:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32757"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-06"
},
{
"type": "WEB",
"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W6FM-W97V-Q5V7
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2023-02-03 21:30IBM Robotic Process Automation with Automation Anywhere 11 information disclosure could allow a local user to obtain e-mail contents from the client debug log file. IBM X-Force ID: 160759.
{
"affected": [],
"aliases": [
"CVE-2019-4296"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-01T15:15:00Z",
"severity": "LOW"
},
"details": "IBM Robotic Process Automation with Automation Anywhere 11 information disclosure could allow a local user to obtain e-mail contents from the client debug log file. IBM X-Force ID: 160759.",
"id": "GHSA-w6fm-w97v-q5v7",
"modified": "2023-02-03T21:30:27Z",
"published": "2022-05-24T16:49:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4296"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/160759"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10884844"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W7F5-HW27-VF74
Vulnerability from github – Published: 2026-02-05 21:32 – Updated: 2026-02-05 21:32Tanium addressed an information disclosure vulnerability in Threat Response.
{
"affected": [],
"aliases": [
"CVE-2025-15332"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-05T19:15:54Z",
"severity": "MODERATE"
},
"details": "Tanium addressed an information disclosure vulnerability in Threat Response.",
"id": "GHSA-w7f5-hw27-vf74",
"modified": "2026-02-05T21:32:41Z",
"published": "2026-02-05T21:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15332"
},
{
"type": "WEB",
"url": "https://security.tanium.com/TAN-2025-020"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.