CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1739 vulnerabilities reference this CWE, most recent first.
GHSA-WF66-MPHR-4C4R
Vulnerability from github – Published: 2026-04-20 15:31 – Updated: 2026-04-24 20:37Information exposure vulnerability has been identified in Apache Kafka.
The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are:
-
AlterConfigsRequest
-
AlterUserScramCredentialsRequest
-
ExpireDelegationTokenRequest
-
IncrementalAlterConfigsRequest
-
RenewDelegationTokenRequest
-
SaslAuthenticateRequest
-
createDelegationTokenResponse
-
describeDelegationTokenResponse
-
SaslAuthenticateResponse
This issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. Apache advises Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.kafka:kafka-clients"
},
"ranges": [
{
"events": [
{
"introduced": "0.11.0"
},
{
"fixed": "3.9.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.kafka:kafka-clients"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4.0.0"
]
}
],
"aliases": [
"CVE-2026-33558"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-24T20:37:18Z",
"nvd_published_at": "2026-04-20T14:16:19Z",
"severity": "MODERATE"
},
"details": "Information exposure vulnerability has been identified in Apache Kafka.\n\nThe NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are:\n\n\n * AlterConfigsRequest\n\n * AlterUserScramCredentialsRequest\n\n * ExpireDelegationTokenRequest\n\n * IncrementalAlterConfigsRequest\n\n * RenewDelegationTokenRequest\n\n * SaslAuthenticateRequest\n\n * createDelegationTokenResponse\n\n * describeDelegationTokenResponse\n\n * SaslAuthenticateResponse\n\n\nThis issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. Apache advises Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.",
"id": "GHSA-wf66-mphr-4c4r",
"modified": "2026-04-24T20:37:18Z",
"published": "2026-04-20T15:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33558"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/kafka"
},
{
"type": "WEB",
"url": "https://kafka.apache.org/cve-list"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/pz5g4ky3h0k91tfd14p0dzqjp80960kl"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/17/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Kafka exposes sensitive information in its DEBUG logs"
}
GHSA-WFFP-P4H8-F6WQ
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48IBM Spectrum Protect Plus File Systems Agent 10.1.6 and 10.1.7 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 198836.
{
"affected": [],
"aliases": [
"CVE-2021-20536"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-26T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Spectrum Protect Plus File Systems Agent 10.1.6 and 10.1.7 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 198836.",
"id": "GHSA-wffp-p4h8-f6wq",
"modified": "2022-05-24T17:48:53Z",
"published": "2022-05-24T17:48:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20536"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/198836"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6445739"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WG4G-395P-MQV3
Vulnerability from github – Published: 2026-04-25 23:35 – Updated: 2026-05-13 13:34Impact
When n8n-mcp runs in HTTP transport mode, authenticated MCP tools/call requests had their full arguments and JSON-RPC params written to server logs by the request dispatcher and several sibling code paths before any redaction. When a tool call carries credential material — most notably n8n_manage_credentials.data — the raw values can be persisted in logs.
In deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of:
- bearer tokens and OAuth credentials sent through
n8n_manage_credentials - per-tenant API keys and webhook auth headers embedded in tool arguments
- arbitrary secret-bearing payloads passed to any MCP tool
The issue requires authentication (AUTH_TOKEN accepted by the server), so unauthenticated callers cannot trigger it; the runtime exposure is also reduced by an existing console-silencing layer in HTTP mode, but that layer is fragile and the values are still constructed and passed into the logger. The fix removes the leak at the source.
Impact category: CWE-532 (Insertion of Sensitive Information into Log File). CVSS 3.1 score: 4.3 Medium (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
Affected
Deployments running n8n-mcp v2.47.12 or earlier in HTTP transport mode (MCP_MODE=http). The stdio transport short-circuits the relevant log calls and is not affected in practice.
Patched
v2.47.13 and later.
- npm:
npx n8n-mcp@latest(or pin to>= 2.47.13) - Docker:
docker pull ghcr.io/czlonkowski/n8n-mcp:latest
The patch routes tool-call arguments through a metadata-only summarizer (summarizeToolCallArgs) that records type, top-level key names, and approximate size — never values. The same pattern was adopted earlier for HTTP request bodies in GHSA-pfm2-2mhg-8wpx.
Workarounds
If developers cannot upgrade immediately:
- Restrict access to the HTTP port (firewall, reverse proxy, or VPN) so only trusted clients can authenticate.
- Restrict access to server logs (no shared SIEM ingestion, no support read-only access) until the upgrade lands.
- Switch to stdio transport (
MCP_MODE=stdio, the default for CLI invocation), which has no HTTP surface and short-circuits the affected log calls.
Credit
n8n-MCP thanks @Mirr2 (Organization / Jormungandr) for reporting this issue.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "n8n-mcp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42282"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-25T23:35:28Z",
"nvd_published_at": "2026-05-08T20:16:31Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nWhen `n8n-mcp` runs in HTTP transport mode, authenticated MCP `tools/call` requests had their full arguments and JSON-RPC params written to server logs by the request dispatcher and several sibling code paths before any redaction. When a tool call carries credential material \u2014 most notably `n8n_manage_credentials.data` \u2014 the raw values can be persisted in logs.\n\nIn deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of:\n\n- bearer tokens and OAuth credentials sent through `n8n_manage_credentials`\n- per-tenant API keys and webhook auth headers embedded in tool arguments\n- arbitrary secret-bearing payloads passed to any MCP tool\n\nThe issue requires authentication (`AUTH_TOKEN` accepted by the server), so unauthenticated callers cannot trigger it; the runtime exposure is also reduced by an existing console-silencing layer in HTTP mode, but that layer is fragile and the values are still constructed and passed into the logger. The fix removes the leak at the source.\n\nImpact category: **CWE-532** (Insertion of Sensitive Information into Log File). CVSS 3.1 score: **4.3 Medium** (`AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N`).\n\n### Affected\n\nDeployments running n8n-mcp **v2.47.12 or earlier** in HTTP transport mode (`MCP_MODE=http`). The stdio transport short-circuits the relevant log calls and is not affected in practice.\n\n### Patched\n\n**v2.47.13** and later.\n\n- npm: `npx n8n-mcp@latest` (or pin to `\u003e= 2.47.13`)\n- Docker: `docker pull ghcr.io/czlonkowski/n8n-mcp:latest`\n\nThe patch routes tool-call arguments through a metadata-only summarizer (`summarizeToolCallArgs`) that records type, top-level key names, and approximate size \u2014 never values. The same pattern was adopted earlier for HTTP request bodies in GHSA-pfm2-2mhg-8wpx.\n\n### Workarounds\n\nIf developers cannot upgrade immediately:\n\n- Restrict access to the HTTP port (firewall, reverse proxy, or VPN) so only trusted clients can authenticate.\n- Restrict access to server logs (no shared SIEM ingestion, no support read-only access) until the upgrade lands.\n- Switch to stdio transport (`MCP_MODE=stdio`, the default for CLI invocation), which has no HTTP surface and short-circuits the affected log calls.\n\n### Credit\n\nn8n-MCP thanks [@Mirr2](https://github.com/Mirr2) (Organization / Jormungandr) for reporting this issue.",
"id": "GHSA-wg4g-395p-mqv3",
"modified": "2026-05-13T13:34:59Z",
"published": "2026-04-25T23:35:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-wg4g-395p-mqv3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42282"
},
{
"type": "WEB",
"url": "https://github.com/czlonkowski/n8n-mcp/commit/59b665bda36797823df238aeaf20adb862c9f451"
},
{
"type": "PACKAGE",
"url": "https://github.com/czlonkowski/n8n-mcp"
},
{
"type": "WEB",
"url": "https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.47.13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode"
}
GHSA-WG52-V6X4-GHP3
Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2024-04-04 01:40OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive information.
{
"affected": [],
"aliases": [
"CVE-2019-13515"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-15T19:15:00Z",
"severity": "MODERATE"
},
"details": "OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive information.",
"id": "GHSA-wg52-v6x4-ghp3",
"modified": "2024-04-04T01:40:38Z",
"published": "2022-05-24T16:53:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13515"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-225-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WG5X-3G47-V38R
Vulnerability from github – Published: 2026-05-19 15:40 – Updated: 2026-06-09 13:12When chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain the TLS private key, they could impersonate the chaincode server.
Recommendation
- Update to the fixed version of the chaincode runtime.
- Redact or remove existing logs that contain the TLS private key password.
- Change the TLS private key password.
Mitigation
Impacted deployments can mitigate the vulnerability by restricting the logging level to WARNING or higher so that INFO level logs are not written.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.5.9"
},
"package": {
"ecosystem": "Maven",
"name": "org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.1"
},
{
"fixed": "2.5.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45581"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T15:40:13Z",
"nvd_published_at": "2026-06-08T17:16:44Z",
"severity": "MODERATE"
},
"details": "When chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain the TLS private key, they could impersonate the chaincode server.\n\n### Recommendation\n\n- Update to the fixed version of the chaincode runtime.\n- Redact or remove existing logs that contain the TLS private key password.\n- Change the TLS private key password.\n\n### Mitigation\n\nImpacted deployments can mitigate the vulnerability by restricting the logging level to WARNING or higher so that INFO level logs are not written.",
"id": "GHSA-wg5x-3g47-v38r",
"modified": "2026-06-09T13:12:11Z",
"published": "2026-05-19T15:40:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hyperledger/fabric-chaincode-java/security/advisories/GHSA-wg5x-3g47-v38r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45581"
},
{
"type": "PACKAGE",
"url": "https://github.com/hyperledger/fabric-chaincode-java"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode"
}
GHSA-WGPQ-P2HM-56V9
Vulnerability from github – Published: 2024-02-01 15:30 – Updated: 2024-05-23 13:55A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log level is enabled.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "glance-store"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-1141"
],
"database_specific": {
"cwe_ids": [
"CWE-532",
"CWE-779"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-05T22:32:25Z",
"nvd_published_at": "2024-02-01T15:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log level is enabled.",
"id": "GHSA-wgpq-p2hm-56v9",
"modified": "2024-05-23T13:55:44Z",
"published": "2024-02-01T15:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1141"
},
{
"type": "WEB",
"url": "https://github.com/openstack/glance_store/commit/d6e531af4821c8466b1e9404f12f89f6216417f2"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2732"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-1141"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258836"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/glance_store"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "glance-store logs s3 access keys"
}
GHSA-WGR7-WRHM-VCMG
Vulnerability from github – Published: 2024-03-22 00:31 – Updated: 2025-03-27 21:31An issue in iTop DualSafe Password Manager & Digital Vault before 1.4.24 allows a local attacker to obtain sensitive information via leaked credentials as plaintext in a log file that can be accessed by the local user without knowledge of the master secret.
{
"affected": [],
"aliases": [
"CVE-2024-24272"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-21T22:15:10Z",
"severity": "HIGH"
},
"details": "An issue in iTop DualSafe Password Manager \u0026 Digital Vault before 1.4.24 allows a local attacker to obtain sensitive information via leaked credentials as plaintext in a log file that can be accessed by the local user without knowledge of the master secret.",
"id": "GHSA-wgr7-wrhm-vcmg",
"modified": "2025-03-27T21:31:03Z",
"published": "2024-03-22T00:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24272"
},
{
"type": "WEB",
"url": "https://research.hisolutions.com/2024/03/cve-2024-24272-dualsafe-password-manager-leaks-credentials"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WHP8-C256-P9F6
Vulnerability from github – Published: 2025-06-12 18:31 – Updated: 2025-06-12 18:31Dell Smart Dock Firmware, versions prior to 01.00.08.01, contain an Insertion of Sensitive Information into Log File vulnerability. A user with local access could potentially exploit this vulnerability, leading to Information disclosure.
{
"affected": [],
"aliases": [
"CVE-2025-36573"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-12T16:15:23Z",
"severity": "HIGH"
},
"details": "Dell Smart Dock Firmware, versions prior to 01.00.08.01, contain an Insertion of Sensitive Information into Log File vulnerability. A user with local access could potentially exploit this vulnerability, leading to Information disclosure.",
"id": "GHSA-whp8-c256-p9f6",
"modified": "2025-06-12T18:31:48Z",
"published": "2025-06-12T18:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36573"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000323183/dsa-2025-218"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WHPH-446H-6M9V
Vulnerability from github – Published: 2022-04-16 00:00 – Updated: 2023-08-03 19:30Azure SDK for .NET Information Disclosure Vulnerability via undisclosed methods relating to lack of sanitization of exception messages.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Rest.ClientRuntime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.24"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-26907"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-07T21:30:44Z",
"nvd_published_at": "2022-04-15T19:15:00Z",
"severity": "MODERATE"
},
"details": "Azure SDK for .NET Information Disclosure Vulnerability via undisclosed methods relating to lack of sanitization of exception messages.",
"id": "GHSA-whph-446h-6m9v",
"modified": "2023-08-03T19:30:54Z",
"published": "2022-04-16T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26907"
},
{
"type": "WEB",
"url": "https://github.com/Azure/azure-sdk-for-net/pull/28169"
},
{
"type": "WEB",
"url": "https://github.com/Azure/azure-sdk-for-net/commit/e67f2a9fc5aa1060bd465d1458c347671268f6f5"
},
{
"type": "PACKAGE",
"url": "https://github.com/Azure/azure-sdk-for-net"
},
{
"type": "WEB",
"url": "https://github.com/Azure/azure-sdk-for-net/blob/a919c48ae294fed084a9679b6f53ac6af3fb4c3a/sdk/mgmtcommon/ClientRuntime/ClientRuntime/Microsoft.Rest.ClientRuntime.csproj#L11"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26907"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26907"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Azure SDK for .NET Information Disclosure Vulnerability."
}
GHSA-WHVH-7626-25QP
Vulnerability from github – Published: 2023-03-27 06:30 – Updated: 2023-03-27 06:30Juiker app stores debug logs which contains sensitive information to mobile external storage. An unauthenticated physical attacker can access these files to acquire partial user information such as personal contacts.
{
"affected": [],
"aliases": [
"CVE-2022-39043"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-27T04:15:00Z",
"severity": "LOW"
},
"details": "Juiker app stores debug logs which contains sensitive information to mobile external storage. An unauthenticated physical attacker can access these files to acquire partial user information such as personal contacts.",
"id": "GHSA-whvh-7626-25qp",
"modified": "2023-03-27T06:30:22Z",
"published": "2023-03-27T06:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39043"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-6922-4a37a-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.