Common Weakness Enumeration

CWE-1258

Allowed

Exposure of Sensitive System Information Due to Uncleared Debug Information

Abstraction: Base · Status: Draft

The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered.

19 vulnerabilities reference this CWE, most recent first.

GHSA-24Q9-G4P7-45QP

Vulnerability from github – Published: 2026-04-09 18:31 – Updated: 2026-04-17 21:31
VLAI
Details

In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15480"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1258"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-09T16:16:25Z",
    "severity": "LOW"
  },
  "details": "In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user\u0027s password hash in the attached logs.",
  "id": "GHSA-24q9-g4p7-45qp",
  "modified": "2026-04-17T21:31:42Z",
  "published": "2026-04-09T18:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15480"
    },
    {
      "type": "WEB",
      "url": "https://github.com/canonical/ubuntu-desktop-provision/pull/1399"
    },
    {
      "type": "WEB",
      "url": "https://github.com/canonical/ubuntu-desktop-provision/pull/1400"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-297G-CJPM-QW2X

Vulnerability from github – Published: 2025-04-04 18:31 – Updated: 2026-04-28 21:35
VLAI
Details

Exposure of Sensitive System Information Due to Uncleared Debug Information vulnerability in 1clickmigration 1 Click WordPress Migration allows Retrieve Embedded Sensitive Data. This issue affects 1 Click WordPress Migration: from n/a through 2.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32257"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1258"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-04T16:15:35Z",
    "severity": "MODERATE"
  },
  "details": "Exposure of Sensitive System Information Due to Uncleared Debug Information vulnerability in 1clickmigration 1 Click WordPress Migration allows Retrieve Embedded Sensitive Data. This issue affects 1 Click WordPress Migration: from n/a through 2.2.",
  "id": "GHSA-297g-cjpm-qw2x",
  "modified": "2026-04-28T21:35:34Z",
  "published": "2025-04-04T18:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32257"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/1-click-migration/vulnerability/wordpress-1-click-wordpress-migration-plugin-2-1-sensitive-data-exposure-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4MJX-2GH5-PH8H

Vulnerability from github – Published: 2022-10-10 21:07 – Updated: 2022-10-10 21:07
VLAI
Summary
Exposure of sensitive Slack webhook URLs in debug logs and traces
Details

Impact

Debug logs expose sensitive URLs for Slack webhooks that contain private information.

Patches

The problem is fixed in v1.3.2 which redacts sensitive URLs for webhooks.

Workarounds

Disabling/filtering debug logs in case you use Slack webhooks using tracing log level and filters.

References

https://github.com/abdolence/slack-morphism-rust/releases/tag/v1.3.2

For more information

If you have any questions or comments about this advisory: * Open an issue in repo * Read our security policy

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "slack-morphism"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39292"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1258"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-10T21:07:47Z",
    "nvd_published_at": "2022-10-10T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nDebug logs expose sensitive URLs for Slack webhooks that contain private information.\n\n### Patches\nThe problem is fixed in v1.3.2 which redacts sensitive URLs for webhooks.\n\n### Workarounds\nDisabling/filtering debug logs in case you use Slack webhooks using tracing log level and filters.\n\n### References\nhttps://github.com/abdolence/slack-morphism-rust/releases/tag/v1.3.2\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [repo](https://github.com/abdolence/slack-morphism-rust)\n* Read our [security policy](https://github.com/abdolence/slack-morphism-rust/blob/master/SECURITY.md)\n\n",
  "id": "GHSA-4mjx-2gh5-ph8h",
  "modified": "2022-10-10T21:07:47Z",
  "published": "2022-10-10T21:07:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-4mjx-2gh5-ph8h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39292"
    },
    {
      "type": "WEB",
      "url": "https://github.com/abdolence/slack-morphism-rust/commit/48a1da2dc2ad3a5ccc60036d43f6f8fbb2c15f1d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/abdolence/slack-morphism-rust/commit/65ef9fac4f39c4e171e2952a6cf029bb0d059a89"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/abdolence/slack-morphism-rust"
    },
    {
      "type": "WEB",
      "url": "https://github.com/abdolence/slack-morphism-rust/releases/tag/v1.3.2"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0087.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Exposure of sensitive Slack webhook URLs in debug logs and traces"
}

GHSA-5P47-92QW-3767

Vulnerability from github – Published: 2026-04-09 18:31 – Updated: 2026-04-17 21:31
VLAI
Details

In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, Subiquity could include certain user credentials, such as the user's plaintext Wi-Fi password, in the attached logs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14551"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1258"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-09T16:16:23Z",
    "severity": "LOW"
  },
  "details": "In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, Subiquity could include certain user credentials, such as the user\u0027s plaintext Wi-Fi password, in the attached logs.",
  "id": "GHSA-5p47-92qw-3767",
  "modified": "2026-04-17T21:31:42Z",
  "published": "2026-04-09T18:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14551"
    },
    {
      "type": "WEB",
      "url": "https://github.com/canonical/subiquity/pull/2357"
    },
    {
      "type": "WEB",
      "url": "https://github.com/canonical/subiquity/pull/2358"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-99J7-MHFH-W84P

Vulnerability from github – Published: 2022-07-20 01:30 – Updated: 2022-08-10 23:31
VLAI
Summary
Slack Morphism for Rust before 0.41.0 can leak Slack OAuth client information in application debug logs
Details

Impact

Potential/accidental leaking of Slack OAuth client information in application debug logs.

Patches

More strict and secure debug formatting was introduced in v0.41 for OAuth secret types to avoid the possibility of printing sensitive information in application logs.

Workarounds

Don't print/output in logs request and responses for OAuth and client configurations.

For more information

If you have any questions or comments about this advisory: * Open an issue in the repo * Email us at me@abdolence.dev

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "slack-morphism"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.41.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31162"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1258",
      "CWE-200",
      "CWE-212"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-20T01:30:21Z",
    "nvd_published_at": "2022-07-22T04:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nPotential/accidental leaking of Slack OAuth client information in application debug logs.\n\n### Patches\nMore strict and secure debug formatting was introduced in v0.41 for OAuth secret types to avoid the possibility of printing sensitive information in application logs.\n\n### Workarounds\nDon\u0027t print/output in logs request and responses for OAuth and client configurations.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in the [repo](https://github.com/abdolence/slack-morphism-rust)\n* Email us at [me@abdolence.dev](mailto:me@abdolence.dev)\n",
  "id": "GHSA-99j7-mhfh-w84p",
  "modified": "2022-08-10T23:31:07Z",
  "published": "2022-07-20T01:30:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-99j7-mhfh-w84p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31162"
    },
    {
      "type": "WEB",
      "url": "https://github.com/abdolence/slack-morphism-rust/pull/133"
    },
    {
      "type": "WEB",
      "url": "https://github.com/abdolence/slack-morphism-rust/commit/4923fb7d458ed28c0302244c54cb4df0acee7ee6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/abdolence/slack-morphism-rust"
    },
    {
      "type": "WEB",
      "url": "https://github.com/abdolence/slack-morphism-rust/releases/tag/v0.41.0"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0086.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Slack Morphism for Rust before 0.41.0 can leak Slack OAuth client information in application debug logs"
}

GHSA-C7MF-MH8G-44Q2

Vulnerability from github – Published: 2023-11-14 21:31 – Updated: 2023-11-14 21:31
VLAI
Details

Exposure of sensitive system information due to uncleared debug information for some Intel Unison software may allow an authenticated user to potentially enable information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-43666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1258"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-14T19:15:14Z",
    "severity": "LOW"
  },
  "details": "Exposure of sensitive system information due to uncleared debug information for some Intel Unison software may allow an authenticated user to potentially enable information disclosure via local access.",
  "id": "GHSA-c7mf-mh8g-44q2",
  "modified": "2023-11-14T21:31:00Z",
  "published": "2023-11-14T21:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43666"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00963.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FMV6-CWQ6-8742

Vulnerability from github – Published: 2025-09-25 21:30 – Updated: 2025-09-25 21:30
VLAI
Details

Dell PowerEdge Server BIOS and Dell iDRAC9, all versions, contains an Information Disclosure vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information Disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26482"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1258"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-25T21:15:31Z",
    "severity": "MODERATE"
  },
  "details": "Dell PowerEdge Server BIOS and Dell iDRAC9, all versions, contains an Information Disclosure vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information Disclosure.",
  "id": "GHSA-fmv6-cwq6-8742",
  "modified": "2025-09-25T21:30:25Z",
  "published": "2025-09-25T21:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26482"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000370138/dsa-2025-046-security-update-for-dell-poweredge-server-and-dell-idrac9-for-information-disclosure-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QH8C-5J7C-5QV9

Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35
VLAI
Details

Unauthenticated Sensitive Data Exposure in JetBlog <= 2.4.8 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-52696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1258"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T13:20:48Z",
    "severity": "HIGH"
  },
  "details": "Unauthenticated Sensitive Data Exposure in JetBlog \u003c= 2.4.8 versions.",
  "id": "GHSA-qh8c-5j7c-5qv9",
  "modified": "2026-06-17T18:35:52Z",
  "published": "2026-06-17T18:35:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52696"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/jet-blog/vulnerability/wordpress-jetblog-plugin-2-4-8-sensitive-data-exposure-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QX77-248C-HG83

Vulnerability from github – Published: 2026-03-18 18:31 – Updated: 2026-03-18 18:31
VLAI
Details

Dell Integrated Dell Remote Access Controller 9, 14G versions prior to 7.00.00.174, 15G and 16G versions prior to 7.10.90.00, contain an Exposure of Sensitive System Information Due to Uncleared Debug Information vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-26948"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1258"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-18T18:16:26Z",
    "severity": "MODERATE"
  },
  "details": "Dell Integrated Dell Remote Access Controller 9, 14G versions prior to 7.00.00.174, 15G and 16G versions prior to 7.10.90.00, contain an Exposure of Sensitive System Information Due to Uncleared Debug Information vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to information disclosure.",
  "id": "GHSA-qx77-248c-hg83",
  "modified": "2026-03-18T18:31:18Z",
  "published": "2026-03-18T18:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26948"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000434533/dsa-2026-113-security-update-for-dell-idrac9-and-idrac10-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Whenever debug mode is enabled, all registers containing sensitive assets must be cleared.

CAPEC-150: Collect Data from Common Resource Locations

An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.

CAPEC-204: Lifting Sensitive Data Embedded in Cache

An adversary examines a target application's cache, or a browser cache, for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.

CAPEC-545: Pull Data from System Resources

An adversary who is authorized or has the ability to search known system resources, does so with the intention of gathering useful information. System resources include files, memory, and other aspects of the target system. In this pattern of attack, the adversary does not necessarily know what they are going to find when they start pulling data. This is different than CAPEC-150 where the adversary knows what they are looking for due to the common location.