CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1744 vulnerabilities reference this CWE, most recent first.
GHSA-JMRX-5G74-6V2F
Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2025-02-28 18:06The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/client-go"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.17.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.16.0-beta.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-11250"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-08T00:35:06Z",
"nvd_published_at": "2019-08-29T01:15:00Z",
"severity": "MODERATE"
},
"details": "The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.",
"id": "GHSA-jmrx-5g74-6v2f",
"modified": "2025-02-28T18:06:30Z",
"published": "2022-05-24T16:55:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11250"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/81114"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/pull/81330"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/commit/4441f1d9c3e94d9a3d93b4f184a591cab02a5245"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:4052"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:4087"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes/kubernetes"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2021-0065"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190919-0003"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/10/16/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Kubernetes client-go library logs may disclose credentials to unauthorized users"
}
GHSA-JP24-RG62-2H88
Vulnerability from github – Published: 2024-10-31 03:30 – Updated: 2024-10-31 03:30The Woo Manage Fraud Orders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.1.7 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information about users contained in the exposed log files.
{
"affected": [],
"aliases": [
"CVE-2024-10544"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-31T02:15:03Z",
"severity": "MODERATE"
},
"details": "The Woo Manage Fraud Orders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.1.7 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information about users contained in the exposed log files.",
"id": "GHSA-jp24-rg62-2h88",
"modified": "2024-10-31T03:30:45Z",
"published": "2024-10-31T03:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10544"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woo-manage-fraud-orders/trunk/includes/class-wmfo-debug-log.php#L25"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a62df5f6-64b0-4489-9dde-0d472040ee12?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JP7V-3587-2956
Vulnerability from github – Published: 2023-02-08 21:38 – Updated: 2023-02-08 21:38A password disclosure flaw was found in Syft versions v0.69.0 and v0.69.1. This flaw leaks the password stored in the SYFT_ATTEST_PASSWORD environment variable.
Impact
The SYFT_ATTEST_PASSWORD environment variable is for the syft attest command to generate attested SBOMs for the given container image. This environment variable is used to decrypt the private key (provided with syft attest --key <path-to-key-file>) during the signing process while generating an SBOM attestation.
This vulnerability affects users running syft that have the SYFT_ATTEST_PASSWORD environment variable set with credentials (regardless of if the attest command is being used or not). Users that do not have the environment variable SYFT_ATTEST_PASSWORD set are not affected by this issue.
The credentials are leaked in two ways:
- in the syft logs when -vv or -vvv are used in the syft command (which is any log level >= DEBUG)
- in the attestation or SBOM only when the syft-json format is used
Note that as of v0.69.0 any generated attestations by the syft attest command are uploaded to the OCI registry (if you have write access to that registry) in the same way cosign attach is done. This means that any attestations generated for the affected versions of syft when the SYFT_ATTEST_PASSWORD environment variable was set would leak credentials in the attestation payload uploaded to the OCI registry.
Example commands run from affected versions of syft that show the credential disclosure:
$ SYFT_ATTEST_PASSWORD=123456 syft <container-image-or-directory-input> -o syft-json | grep 123456
# "123456" is in the output
$ SYFT_ATTEST_PASSWORD=123456 syft attest <container-image-input> -o syft-json
$ cosign download attestation <container-image-input> | jq -r '.payload' | base64 -d | grep 123456
# "123456" is in the output
Patches
The patch has been released in v0.70.0.
Workarounds
There are no workarounds for this vulnerability.
References
Patch pull request: https://github.com/anchore/syft/pull/1538
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/anchore/syft"
},
"ranges": [
{
"events": [
{
"introduced": "0.69.0"
},
{
"fixed": "0.70.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-24827"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-08T21:38:46Z",
"nvd_published_at": "2023-02-07T01:15:00Z",
"severity": "MODERATE"
},
"details": "A password disclosure flaw was found in Syft versions v0.69.0 and v0.69.1. This flaw leaks the password stored in the SYFT_ATTEST_PASSWORD environment variable.\n\n### Impact\nThe `SYFT_ATTEST_PASSWORD` environment variable is for the `syft attest` command to generate attested SBOMs for the given container image. This environment variable is used to decrypt the private key (provided with `syft attest --key \u003cpath-to-key-file\u003e`) during the signing process while generating an SBOM attestation. \n\nThis vulnerability affects users running syft that have the `SYFT_ATTEST_PASSWORD` environment variable set with credentials (regardless of if the attest command is being used or not). Users that do not have the environment variable `SYFT_ATTEST_PASSWORD` set are not affected by this issue.\n\nThe credentials are leaked in two ways:\n- in the syft logs when `-vv` or `-vvv` are used in the syft command (which is any log level \u003e= `DEBUG`)\n- in the attestation or SBOM only when the `syft-json` format is used \n\nNote that as of v0.69.0 any generated attestations by the `syft attest` command are uploaded to the OCI registry (if you have write access to that registry) in the same way `cosign attach` is done. This means that any attestations generated for the affected versions of syft when the `SYFT_ATTEST_PASSWORD` environment variable was set would leak credentials in the attestation payload uploaded to the OCI registry.\n\nExample commands run from affected versions of syft that show the credential disclosure:\n```bash\n$ SYFT_ATTEST_PASSWORD=123456 syft \u003ccontainer-image-or-directory-input\u003e -o syft-json | grep 123456\n# \"123456\" is in the output\n\n$ SYFT_ATTEST_PASSWORD=123456 syft attest \u003ccontainer-image-input\u003e -o syft-json \n$ cosign download attestation \u003ccontainer-image-input\u003e | jq -r \u0027.payload\u0027 | base64 -d | grep 123456\n# \"123456\" is in the output\n```\n\n### Patches\n\nThe patch has been released in v0.70.0.\n\n### Workarounds\n\nThere are no workarounds for this vulnerability.\n\n### References\n\nPatch pull request: https://github.com/anchore/syft/pull/1538",
"id": "GHSA-jp7v-3587-2956",
"modified": "2023-02-08T21:38:46Z",
"published": "2023-02-08T21:38:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/anchore/syft/security/advisories/GHSA-jp7v-3587-2956"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24827"
},
{
"type": "WEB",
"url": "https://github.com/anchore/syft/commit/9995950c70e849f9921919faffbfcf46401f71f3"
},
{
"type": "PACKAGE",
"url": "https://github.com/anchore/syft"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Credential disclosure in syft when SYFT_ATTEST_PASSWORD environment variable set"
}
GHSA-JPCM-4485-69P7
Vulnerability from github – Published: 2021-03-09 00:38 – Updated: 2021-03-12 17:32Impact
The com.bmuschko:gradle-vagrant-plugin Gradle plugin contains an information disclosure vulnerability due to the logging of the system environment variables.
When this Gradle plugin is executed in public CI/CD, this can lead to sensitive credentials being exposed to malicious actors.
Patches
Fixed in version 3.0.0
References
- https://github.com/bmuschko/gradle-vagrant-plugin/blob/292129f9343d00d391543fae06239e9b0f33db73/src/main/groovy/com/bmuschko/gradle/vagrant/process/GDKExternalProcessExecutor.groovy#L42-L44
- https://github.com/bmuschko/gradle-vagrant-plugin/issues/19
- https://github.com/bmuschko/gradle-vagrant-plugin/pull/20
For more information
If you have any questions or comments about this advisory: * Open an issue in bmuschko/gradle-vagrant-plugin
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.bmuschko:gradle-vagrant-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "0.6"
},
{
"fixed": "3.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21361"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-09T00:38:15Z",
"nvd_published_at": "2021-03-09T01:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nThe `com.bmuschko:gradle-vagrant-plugin` Gradle plugin contains an information disclosure vulnerability due to the logging of the system environment variables.\n\nWhen this Gradle plugin is executed in public CI/CD, this can lead to sensitive credentials being exposed to malicious actors.\n\n### Patches\nFixed in version 3.0.0\n\n### References\n\n - https://github.com/bmuschko/gradle-vagrant-plugin/blob/292129f9343d00d391543fae06239e9b0f33db73/src/main/groovy/com/bmuschko/gradle/vagrant/process/GDKExternalProcessExecutor.groovy#L42-L44\n - https://github.com/bmuschko/gradle-vagrant-plugin/issues/19\n - https://github.com/bmuschko/gradle-vagrant-plugin/pull/20\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [bmuschko/gradle-vagrant-plugin](https://github.com/bmuschko/gradle-vagrant-plugin)",
"id": "GHSA-jpcm-4485-69p7",
"modified": "2021-03-12T17:32:39Z",
"published": "2021-03-09T00:38:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-jpcm-4485-69p7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21361"
},
{
"type": "WEB",
"url": "https://github.com/bmuschko/gradle-vagrant-plugin/issues/19"
},
{
"type": "WEB",
"url": "https://github.com/bmuschko/gradle-vagrant-plugin/pull/20"
},
{
"type": "WEB",
"url": "https://github.com/bmuschko/gradle-vagrant-plugin/blob/292129f9343d00d391543fae06239e9b0f33db73/src/main/groovy/com/bmuschko/gradle/vagrant/process/GDKExternalProcessExecutor.groovy#L42-L44"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Sensitive information disclosure via log in com.bmuschko:gradle-vagrant-plugin"
}
GHSA-JPXC-VMJF-9FCJ
Vulnerability from github – Published: 2024-09-16 14:37 – Updated: 2025-11-04 00:31A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.17.0b1"
},
{
"fixed": "2.17.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.16.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-8775"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-16T22:49:05Z",
"nvd_published_at": "2024-09-14T03:15:08Z",
"severity": "HIGH"
},
"details": "A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.",
"id": "GHSA-jpxc-vmjf-9fcj",
"modified": "2025-11-04T00:31:25Z",
"published": "2024-09-16T14:37:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8775"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/8a87e1c5d37422bc99d27ad4237d185cc233e035"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:10762"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:8969"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:9894"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:1249"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-8775"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312119"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-jpxc-vmjf-9fcj"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansible/ansible"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/blob/v2.16.13/changelogs/CHANGELOG-v2.16.rst#security-fixes"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/blob/v2.17.6/changelogs/CHANGELOG-v2.17.rst#security-fixes"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Ansible vulnerable to Insertion of Sensitive Information into Log File"
}
GHSA-JQ79-7R7X-WCGV
Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08Information disclosure in aspx pages in MV's IDCE application v1.0 allows an attacker to copy and paste aspx pages in the end of the URL application that connect into the database which reveals internal and sensitive information without logging into the web application.
{
"affected": [],
"aliases": [
"CVE-2020-23284"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-20T20:15:00Z",
"severity": "HIGH"
},
"details": "Information disclosure in aspx pages in MV\u0027s IDCE application v1.0 allows an attacker to copy and paste aspx pages in the end of the URL application that connect into the database which reveals internal and sensitive information without logging into the web application.",
"id": "GHSA-jq79-7r7x-wcgv",
"modified": "2022-05-24T19:08:26Z",
"published": "2022-05-24T19:08:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23284"
},
{
"type": "WEB",
"url": "https://github.com/ifmacedo/mconnect/blob/main/sensitiveDataExposure"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JQH2-CH7P-XWXH
Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2024-12-06 12:30A vulnerability was found in Quarkus CXF. Passwords and other secrets may appear in the application log in spite of the user configuring them to be hidden. This issue requires some special configuration to be vulnerable, such as SOAP logging enabled, application set client, and endpoint logging properties, and the attacker must have access to the application log.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.quarkiverse.cxf:quarkus-cxf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-9621"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-08T22:23:11Z",
"nvd_published_at": "2024-10-08T17:15:57Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Quarkus CXF. Passwords and other secrets may appear in the application log in spite of the user configuring them to be hidden. This issue requires some special configuration to be vulnerable, such as SOAP logging enabled, application set client, and endpoint logging properties, and the attacker must have access to the application log.",
"id": "GHSA-jqh2-ch7p-xwxh",
"modified": "2024-12-06T12:30:47Z",
"published": "2024-10-08T18:33:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9621"
},
{
"type": "WEB",
"url": "https://github.com/quarkiverse/quarkus-cxf/issues/1533"
},
{
"type": "WEB",
"url": "https://github.com/quarkiverse/quarkus-cxf/commit/8ed72cab8db8e5659e294b05529d2b45557859bd"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:10035"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-9621"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2317130"
},
{
"type": "WEB",
"url": "https://docs.quarkiverse.io/quarkus-cxf/dev/release-notes/3.15.2.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/quarkiverse/quarkus-cxf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Quarkus CXF logs passwords and other secrets"
}
GHSA-JQQ8-Q6F3-QFXH
Vulnerability from github – Published: 2025-03-27 06:32 – Updated: 2025-03-27 06:32HCL DevOps Deploy / HCL Launch stores potentially sensitive authentication token information in log files that could be read by a local user.
{
"affected": [],
"aliases": [
"CVE-2025-0273"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-27T05:15:38Z",
"severity": "MODERATE"
},
"details": "HCL DevOps Deploy / HCL Launch stores potentially sensitive authentication token information in log files that could be read by a local user.",
"id": "GHSA-jqq8-q6f3-qfxh",
"modified": "2025-03-27T06:32:04Z",
"published": "2025-03-27T06:32:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0273"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0120138"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JR38-4278-53PJ
Vulnerability from github – Published: 2025-12-16 18:31 – Updated: 2025-12-18 21:31In limited scenarios, sensitive data might be written to the log file if an admin uses Microsoft Teams Admin Center (TAC) to make device configuration changes. The affected log file is visible only to users with admin credentials. This is limited to Microsoft TAC and does not affect configuration changes made using the provisioning server or the device WebUI.
{
"affected": [],
"aliases": [
"CVE-2025-14432"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-16T16:15:57Z",
"severity": "HIGH"
},
"details": "In limited scenarios, sensitive data might be written to the log file if an admin uses Microsoft Teams Admin Center (TAC) to make device configuration changes. The affected log file is visible only to users with admin credentials. This is limited to Microsoft TAC and does not affect configuration changes made using the provisioning server or the device WebUI.",
"id": "GHSA-jr38-4278-53pj",
"modified": "2025-12-18T21:31:34Z",
"published": "2025-12-16T18:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14432"
},
{
"type": "WEB",
"url": "https://support.hp.com/us-en/document/ish_13612310-13612332-16/hpsbpy04080"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JRP2-PGJJ-VWPM
Vulnerability from github – Published: 2025-03-12 18:32 – Updated: 2025-03-12 18:32CWE-532: Insertion of Sensitive Information into Log Files vulnerability exists that could cause the disclosure of FTP server credentials when the FTP server is deployed, and the device is placed in debug mode by an administrative user and the debug files are exported from the device.
{
"affected": [],
"aliases": [
"CVE-2025-2002"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-12T16:15:24Z",
"severity": "MODERATE"
},
"details": "CWE-532: Insertion of Sensitive Information into Log Files vulnerability exists that could cause the disclosure\nof FTP server credentials when the FTP server is deployed, and the device is placed in debug mode by an\nadministrative user and the debug files are exported from the device.",
"id": "GHSA-jrp2-pgjj-vwpm",
"modified": "2025-03-12T18:32:53Z",
"published": "2025-03-12T18:32:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2002"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-070-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-070-01.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.