Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1739 vulnerabilities reference this CWE, most recent first.

GHSA-W42R-7HMW-4854

Vulnerability from github – Published: 2026-04-17 09:31 – Updated: 2026-04-17 09:31
VLAI
Details

Dell PowerProtect Data Domain appliances with Data Domain Operating System (DD OS) of Feature Release versions 8.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10 contain an insertion of sensitive information into log file vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to credential exposures. Authentication attempts as the compromised user would need to be authorized by a high privileged DD user. This vulnerability only affects systems with retention lock enabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23775"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-17T09:16:05Z",
    "severity": "HIGH"
  },
  "details": "Dell PowerProtect Data Domain appliances with Data Domain Operating System (DD OS) of Feature Release versions 8.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10 contain an insertion of sensitive information into log file vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to credential exposures. Authentication attempts as the compromised user would need to be authorized by a high privileged DD user. This vulnerability only affects systems with retention lock enabled.",
  "id": "GHSA-w42r-7hmw-4854",
  "modified": "2026-04-17T09:31:20Z",
  "published": "2026-04-17T09:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23775"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W4FJ-CCR6-7PCP

Vulnerability from github – Published: 2022-01-06 20:40 – Updated: 2023-09-25 11:29
VLAI
Summary
Apache NiFi Insertion of Sensitive Information into Log File
Details

An information disclosure vulnerability was found in Apache NiFi 1.10.0. The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.nifi:nifi-parameter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.10.0"
            },
            {
              "fixed": "1.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.10.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2020-1928"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-29T14:27:46Z",
    "nvd_published_at": "2020-01-28T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability was found in Apache NiFi 1.10.0. The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present.",
  "id": "GHSA-w4fj-ccr6-7pcp",
  "modified": "2023-09-25T11:29:40Z",
  "published": "2022-01-06T20:40:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1928"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/nifi/pull/3935"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/nifi/commit/42cb6e84898e66672878f61f99543d6af3c0a567"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/nifi"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e@%3Cusers.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1@%3Cusers.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b@%3Cusers.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://nifi.apache.org/security.html#CVE-2020-1928"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache NiFi Insertion of Sensitive Information into Log File"
}

GHSA-W4PP-3G66-R345

Vulnerability from github – Published: 2023-09-17 12:30 – Updated: 2023-09-17 12:30
VLAI
Details

A vulnerability, which was classified as problematic, has been found in China Unicom TEWA-800G 4.16L.04_CT2015_Yueme. Affected by this issue is some unknown functionality. The manipulation leads to information exposure through debug log file. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. VDB-239870 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5028"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-17T11:15:07Z",
    "severity": "LOW"
  },
  "details": "A vulnerability, which was classified as problematic, has been found in China Unicom TEWA-800G 4.16L.04_CT2015_Yueme. Affected by this issue is some unknown functionality. The manipulation leads to information exposure through debug log file. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. VDB-239870 is the identifier assigned to this vulnerability.",
  "id": "GHSA-w4pp-3g66-r345",
  "modified": "2023-09-17T12:30:18Z",
  "published": "2023-09-17T12:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5028"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pinglan123/-/wiki/%E4%B8%AD%E5%9B%BD%E8%81%94%E9%80%9A%E5%AE%B6%E7%94%A8%E7%BD%91%E5%85%B3"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.239870"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.239870"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W4Q6-FVV5-QW2W

Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:37
VLAI
Details

Sony Bravia Smart TV devices allow remote attackers to retrieve the static Wi-Fi password (used when the TV is acting as an access point) by using the Photo Sharing Plus application to execute a backdoor API command, a different vulnerability than CVE-2019-10886.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11336"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-14T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "Sony Bravia Smart TV devices allow remote attackers to retrieve the static Wi-Fi password (used when the TV is acting as an access point) by using the Photo Sharing Plus application to execute a backdoor API command, a different vulnerability than CVE-2019-10886.",
  "id": "GHSA-w4q6-fvv5-qw2w",
  "modified": "2024-04-04T00:37:37Z",
  "published": "2022-05-24T16:45:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11336"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Apr/34"
    },
    {
      "type": "WEB",
      "url": "https://www.darkmatter.ae/xen1thlabs/sony-smart-tv-photo-sharing-plus-information-disclosure-vulnerability-xl-19-003"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/152612/Sony-Smart-TV-Information-Disclosure-File-Read.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2019/Apr/32"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108072"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W4RH-FGX7-Q63M

Vulnerability from github – Published: 2025-03-06 06:30 – Updated: 2025-04-09 20:12
VLAI
Summary
ray vulnerable to Insertion of Sensitive Information into Log File
Details

Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File where the redis password is being logged in the standard logging. If the redis password is passed as an argument, it will be logged and could potentially leak the password.

This is only exploitable if:

1) Logging is enabled;

2) Redis is using password authentication;

3) Those logs are accessible to an attacker, who can reach that redis instance.

Note:

It is recommended that anyone who is running in this configuration should update to the latest version of Ray, then rotate their redis password.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ray"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.43.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-1979"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-06T22:31:54Z",
    "nvd_published_at": "2025-03-06T05:15:16Z",
    "severity": "MODERATE"
  },
  "details": "Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File where the redis password is being logged in the standard logging. If the redis password is passed as an argument, it will be logged and could potentially leak the password.\n\nThis is only exploitable if:\n\n1) Logging is enabled;\n\n2) Redis is using password authentication;\n\n3) Those logs are accessible to an attacker, who can reach that redis instance.\n\n**Note:**\n\nIt is recommended that anyone who is running in this configuration should update to the latest version of Ray, then rotate their redis password.",
  "id": "GHSA-w4rh-fgx7-q63m",
  "modified": "2025-04-09T20:12:59Z",
  "published": "2025-03-06T06:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1979"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ray-project/ray/issues/50266"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ray-project/ray/pull/50409"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ray-project/ray/commit/64a2e4010522d60b90c389634f24df77b603d85d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ray/PYSEC-2025-23.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ray-project/ray"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-PYTHON-RAY-8745212"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ray vulnerable to Insertion of Sensitive Information into Log File"
}

GHSA-W56X-Q3JG-3926

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

The Boa server configuration on DASAN H660RM devices with firmware 1.03-0022 logs POST data to the /tmp/boa-temp file, which allows logged-in users to read the credentials of administration web interface users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9976"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-11T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "The Boa server configuration on DASAN H660RM devices with firmware 1.03-0022 logs POST data to the /tmp/boa-temp file, which allows logged-in users to read the credentials of administration web interface users.",
  "id": "GHSA-w56x-q3jg-3926",
  "modified": "2022-05-13T01:23:08Z",
  "published": "2022-05-13T01:23:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9976"
    },
    {
      "type": "WEB",
      "url": "https://blog.burghardt.pl/2019/03/boa-webserver-on-dasan-h660rm-devices-with-firmware-1-03-0022-saves-post-data-including-credentials-to-tmp-boa-temp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W62X-QH57-5M94

Vulnerability from github – Published: 2023-04-20 00:30 – Updated: 2024-04-04 03:36
VLAI
Details

Sensitive data could be exposed in world readable logs of cloud-init before version 22.3 when schema failures are reported. This leak could include hashed passwords.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2084"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-19T22:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Sensitive data could be exposed in world readable logs of cloud-init before version 22.3 when schema failures are reported. This leak could include hashed passwords.",
  "id": "GHSA-w62x-qh57-5m94",
  "modified": "2024-04-04T03:36:26Z",
  "published": "2023-04-20T00:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2084"
    },
    {
      "type": "WEB",
      "url": "https://github.com/canonical/cloud-init/commit/4d467b14363d800b2185b89790d57871f11ea88c"
    },
    {
      "type": "WEB",
      "url": "https://ubuntu.com/security/notices/USN-5496-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W6F6-8JP4-H3C2

Vulnerability from github – Published: 2024-07-02 21:32 – Updated: 2024-07-02 21:32
VLAI
Details

Under certain circumstances unnecessary user details are provided within system logs

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32757"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-02T14:15:12Z",
    "severity": "MODERATE"
  },
  "details": "Under certain circumstances unnecessary user details are provided within system logs",
  "id": "GHSA-w6f6-8jp4-h3c2",
  "modified": "2024-07-02T21:32:14Z",
  "published": "2024-07-02T21:32:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32757"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-06"
    },
    {
      "type": "WEB",
      "url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W6FM-W97V-Q5V7

Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2023-02-03 21:30
VLAI
Details

IBM Robotic Process Automation with Automation Anywhere 11 information disclosure could allow a local user to obtain e-mail contents from the client debug log file. IBM X-Force ID: 160759.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-4296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-01T15:15:00Z",
    "severity": "LOW"
  },
  "details": "IBM Robotic Process Automation with Automation Anywhere 11 information disclosure could allow a local user to obtain e-mail contents from the client debug log file. IBM X-Force ID: 160759.",
  "id": "GHSA-w6fm-w97v-q5v7",
  "modified": "2023-02-03T21:30:27Z",
  "published": "2022-05-24T16:49:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4296"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/160759"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=ibm10884844"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W7F5-HW27-VF74

Vulnerability from github – Published: 2026-02-05 21:32 – Updated: 2026-02-05 21:32
VLAI
Details

Tanium addressed an information disclosure vulnerability in Threat Response.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15332"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-05T19:15:54Z",
    "severity": "MODERATE"
  },
  "details": "Tanium addressed an information disclosure vulnerability in Threat Response.",
  "id": "GHSA-w7f5-hw27-vf74",
  "modified": "2026-02-05T21:32:41Z",
  "published": "2026-02-05T21:32:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15332"
    },
    {
      "type": "WEB",
      "url": "https://security.tanium.com/TAN-2025-020"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.