CWE-1258
AllowedExposure of Sensitive System Information Due to Uncleared Debug Information
Abstraction: Base · Status: Draft
The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered.
19 vulnerabilities reference this CWE, most recent first.
GHSA-24Q9-G4P7-45QP
Vulnerability from github – Published: 2026-04-09 18:31 – Updated: 2026-04-17 21:31In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs.
{
"affected": [],
"aliases": [
"CVE-2025-15480"
],
"database_specific": {
"cwe_ids": [
"CWE-1258"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-09T16:16:25Z",
"severity": "LOW"
},
"details": "In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user\u0027s password hash in the attached logs.",
"id": "GHSA-24q9-g4p7-45qp",
"modified": "2026-04-17T21:31:42Z",
"published": "2026-04-09T18:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15480"
},
{
"type": "WEB",
"url": "https://github.com/canonical/ubuntu-desktop-provision/pull/1399"
},
{
"type": "WEB",
"url": "https://github.com/canonical/ubuntu-desktop-provision/pull/1400"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-297G-CJPM-QW2X
Vulnerability from github – Published: 2025-04-04 18:31 – Updated: 2026-04-28 21:35Exposure of Sensitive System Information Due to Uncleared Debug Information vulnerability in 1clickmigration 1 Click WordPress Migration allows Retrieve Embedded Sensitive Data. This issue affects 1 Click WordPress Migration: from n/a through 2.2.
{
"affected": [],
"aliases": [
"CVE-2025-32257"
],
"database_specific": {
"cwe_ids": [
"CWE-1258"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-04T16:15:35Z",
"severity": "MODERATE"
},
"details": "Exposure of Sensitive System Information Due to Uncleared Debug Information vulnerability in 1clickmigration 1 Click WordPress Migration allows Retrieve Embedded Sensitive Data. This issue affects 1 Click WordPress Migration: from n/a through 2.2.",
"id": "GHSA-297g-cjpm-qw2x",
"modified": "2026-04-28T21:35:34Z",
"published": "2025-04-04T18:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32257"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/1-click-migration/vulnerability/wordpress-1-click-wordpress-migration-plugin-2-1-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4MJX-2GH5-PH8H
Vulnerability from github – Published: 2022-10-10 21:07 – Updated: 2022-10-10 21:07Impact
Debug logs expose sensitive URLs for Slack webhooks that contain private information.
Patches
The problem is fixed in v1.3.2 which redacts sensitive URLs for webhooks.
Workarounds
Disabling/filtering debug logs in case you use Slack webhooks using tracing log level and filters.
References
https://github.com/abdolence/slack-morphism-rust/releases/tag/v1.3.2
For more information
If you have any questions or comments about this advisory: * Open an issue in repo * Read our security policy
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "slack-morphism"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-39292"
],
"database_specific": {
"cwe_ids": [
"CWE-1258"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-10T21:07:47Z",
"nvd_published_at": "2022-10-10T15:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nDebug logs expose sensitive URLs for Slack webhooks that contain private information.\n\n### Patches\nThe problem is fixed in v1.3.2 which redacts sensitive URLs for webhooks.\n\n### Workarounds\nDisabling/filtering debug logs in case you use Slack webhooks using tracing log level and filters.\n\n### References\nhttps://github.com/abdolence/slack-morphism-rust/releases/tag/v1.3.2\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [repo](https://github.com/abdolence/slack-morphism-rust)\n* Read our [security policy](https://github.com/abdolence/slack-morphism-rust/blob/master/SECURITY.md)\n\n",
"id": "GHSA-4mjx-2gh5-ph8h",
"modified": "2022-10-10T21:07:47Z",
"published": "2022-10-10T21:07:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-4mjx-2gh5-ph8h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39292"
},
{
"type": "WEB",
"url": "https://github.com/abdolence/slack-morphism-rust/commit/48a1da2dc2ad3a5ccc60036d43f6f8fbb2c15f1d"
},
{
"type": "WEB",
"url": "https://github.com/abdolence/slack-morphism-rust/commit/65ef9fac4f39c4e171e2952a6cf029bb0d059a89"
},
{
"type": "PACKAGE",
"url": "https://github.com/abdolence/slack-morphism-rust"
},
{
"type": "WEB",
"url": "https://github.com/abdolence/slack-morphism-rust/releases/tag/v1.3.2"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0087.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Exposure of sensitive Slack webhook URLs in debug logs and traces"
}
GHSA-5P47-92QW-3767
Vulnerability from github – Published: 2026-04-09 18:31 – Updated: 2026-04-17 21:31In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, Subiquity could include certain user credentials, such as the user's plaintext Wi-Fi password, in the attached logs.
{
"affected": [],
"aliases": [
"CVE-2025-14551"
],
"database_specific": {
"cwe_ids": [
"CWE-1258"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-09T16:16:23Z",
"severity": "LOW"
},
"details": "In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, Subiquity could include certain user credentials, such as the user\u0027s plaintext Wi-Fi password, in the attached logs.",
"id": "GHSA-5p47-92qw-3767",
"modified": "2026-04-17T21:31:42Z",
"published": "2026-04-09T18:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14551"
},
{
"type": "WEB",
"url": "https://github.com/canonical/subiquity/pull/2357"
},
{
"type": "WEB",
"url": "https://github.com/canonical/subiquity/pull/2358"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-99J7-MHFH-W84P
Vulnerability from github – Published: 2022-07-20 01:30 – Updated: 2022-08-10 23:31Impact
Potential/accidental leaking of Slack OAuth client information in application debug logs.
Patches
More strict and secure debug formatting was introduced in v0.41 for OAuth secret types to avoid the possibility of printing sensitive information in application logs.
Workarounds
Don't print/output in logs request and responses for OAuth and client configurations.
For more information
If you have any questions or comments about this advisory: * Open an issue in the repo * Email us at me@abdolence.dev
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "slack-morphism"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.41.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31162"
],
"database_specific": {
"cwe_ids": [
"CWE-1258",
"CWE-200",
"CWE-212"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-20T01:30:21Z",
"nvd_published_at": "2022-07-22T04:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nPotential/accidental leaking of Slack OAuth client information in application debug logs.\n\n### Patches\nMore strict and secure debug formatting was introduced in v0.41 for OAuth secret types to avoid the possibility of printing sensitive information in application logs.\n\n### Workarounds\nDon\u0027t print/output in logs request and responses for OAuth and client configurations.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in the [repo](https://github.com/abdolence/slack-morphism-rust)\n* Email us at [me@abdolence.dev](mailto:me@abdolence.dev)\n",
"id": "GHSA-99j7-mhfh-w84p",
"modified": "2022-08-10T23:31:07Z",
"published": "2022-07-20T01:30:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-99j7-mhfh-w84p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31162"
},
{
"type": "WEB",
"url": "https://github.com/abdolence/slack-morphism-rust/pull/133"
},
{
"type": "WEB",
"url": "https://github.com/abdolence/slack-morphism-rust/commit/4923fb7d458ed28c0302244c54cb4df0acee7ee6"
},
{
"type": "PACKAGE",
"url": "https://github.com/abdolence/slack-morphism-rust"
},
{
"type": "WEB",
"url": "https://github.com/abdolence/slack-morphism-rust/releases/tag/v0.41.0"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0086.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Slack Morphism for Rust before 0.41.0 can leak Slack OAuth client information in application debug logs"
}
GHSA-C7MF-MH8G-44Q2
Vulnerability from github – Published: 2023-11-14 21:31 – Updated: 2023-11-14 21:31Exposure of sensitive system information due to uncleared debug information for some Intel Unison software may allow an authenticated user to potentially enable information disclosure via local access.
{
"affected": [],
"aliases": [
"CVE-2022-43666"
],
"database_specific": {
"cwe_ids": [
"CWE-1258"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-14T19:15:14Z",
"severity": "LOW"
},
"details": "Exposure of sensitive system information due to uncleared debug information for some Intel Unison software may allow an authenticated user to potentially enable information disclosure via local access.",
"id": "GHSA-c7mf-mh8g-44q2",
"modified": "2023-11-14T21:31:00Z",
"published": "2023-11-14T21:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43666"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00963.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FMV6-CWQ6-8742
Vulnerability from github – Published: 2025-09-25 21:30 – Updated: 2025-09-25 21:30Dell PowerEdge Server BIOS and Dell iDRAC9, all versions, contains an Information Disclosure vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information Disclosure.
{
"affected": [],
"aliases": [
"CVE-2025-26482"
],
"database_specific": {
"cwe_ids": [
"CWE-1258"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-25T21:15:31Z",
"severity": "MODERATE"
},
"details": "Dell PowerEdge Server BIOS and Dell iDRAC9, all versions, contains an Information Disclosure vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information Disclosure.",
"id": "GHSA-fmv6-cwq6-8742",
"modified": "2025-09-25T21:30:25Z",
"published": "2025-09-25T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26482"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000370138/dsa-2025-046-security-update-for-dell-poweredge-server-and-dell-idrac9-for-information-disclosure-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QH8C-5J7C-5QV9
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35Unauthenticated Sensitive Data Exposure in JetBlog <= 2.4.8 versions.
{
"affected": [],
"aliases": [
"CVE-2026-52696"
],
"database_specific": {
"cwe_ids": [
"CWE-1258"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T13:20:48Z",
"severity": "HIGH"
},
"details": "Unauthenticated Sensitive Data Exposure in JetBlog \u003c= 2.4.8 versions.",
"id": "GHSA-qh8c-5j7c-5qv9",
"modified": "2026-06-17T18:35:52Z",
"published": "2026-06-17T18:35:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52696"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/jet-blog/vulnerability/wordpress-jetblog-plugin-2-4-8-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QX77-248C-HG83
Vulnerability from github – Published: 2026-03-18 18:31 – Updated: 2026-03-18 18:31Dell Integrated Dell Remote Access Controller 9, 14G versions prior to 7.00.00.174, 15G and 16G versions prior to 7.10.90.00, contain an Exposure of Sensitive System Information Due to Uncleared Debug Information vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2026-26948"
],
"database_specific": {
"cwe_ids": [
"CWE-1258"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-18T18:16:26Z",
"severity": "MODERATE"
},
"details": "Dell Integrated Dell Remote Access Controller 9, 14G versions prior to 7.00.00.174, 15G and 16G versions prior to 7.10.90.00, contain an Exposure of Sensitive System Information Due to Uncleared Debug Information vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to information disclosure.",
"id": "GHSA-qx77-248c-hg83",
"modified": "2026-03-18T18:31:18Z",
"published": "2026-03-18T18:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26948"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000434533/dsa-2026-113-security-update-for-dell-idrac9-and-idrac10-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Whenever debug mode is enabled, all registers containing sensitive assets must be cleared.
CAPEC-150: Collect Data from Common Resource Locations
An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.
CAPEC-204: Lifting Sensitive Data Embedded in Cache
An adversary examines a target application's cache, or a browser cache, for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.
CAPEC-545: Pull Data from System Resources
An adversary who is authorized or has the ability to search known system resources, does so with the intention of gathering useful information. System resources include files, memory, and other aspects of the target system. In this pattern of attack, the adversary does not necessarily know what they are going to find when they start pulling data. This is different than CAPEC-150 where the adversary knows what they are looking for due to the common location.