Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1744 vulnerabilities reference this CWE, most recent first.

GHSA-QV9R-4W4X-36G7

Vulnerability from github – Published: 2023-08-11 15:30 – Updated: 2024-04-04 06:52
VLAI
Details

Plaintext Password vulnerability in AddAdmin.py in cms-dev/cms v1.4.rc1, allows attackers to gain sensitive information via audit logs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24804"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-11T14:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Plaintext Password vulnerability in AddAdmin.py in cms-dev/cms v1.4.rc1, allows attackers to gain sensitive information via audit logs.",
  "id": "GHSA-qv9r-4w4x-36g7",
  "modified": "2024-04-04T06:52:36Z",
  "published": "2023-08-11T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24804"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cms-dev/cms/issues/1160"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QWQW-5HFM-4VGG

Vulnerability from github – Published: 2024-02-06 12:30 – Updated: 2024-02-06 12:30
VLAI
Details

In JetBrains Rider before 2023.3.3 logging of environment variables containing secret values was possible

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-24939"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-06T10:15:10Z",
    "severity": "LOW"
  },
  "details": "In JetBrains Rider before 2023.3.3 logging of environment variables containing secret values was possible",
  "id": "GHSA-qwqw-5hfm-4vgg",
  "modified": "2024-02-06T12:30:31Z",
  "published": "2024-02-06T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24939"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QX5M-JJ5C-5J9V

Vulnerability from github – Published: 2025-08-26 00:31 – Updated: 2025-08-26 00:31
VLAI
Details

On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-config could then be used to obtain protocol specific passwords in cases where symmetric passwords are required between devices with neighbor protocol relationships.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3456"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-25T20:15:39Z",
    "severity": "LOW"
  },
  "details": "On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-config could then be used to obtain protocol specific passwords in cases where symmetric passwords are required between devices with neighbor protocol relationships.",
  "id": "GHSA-qx5m-jj5c-5j9v",
  "modified": "2025-08-26T00:31:14Z",
  "published": "2025-08-26T00:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3456"
    },
    {
      "type": "WEB",
      "url": "https://https://www.arista.com/en/support/advisories-notices/security-advisory/22022-security-advisory-0122"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QX7G-FX8Q-545G

Vulnerability from github – Published: 2025-06-06 15:49 – Updated: 2025-06-13 15:28
VLAI
Summary
Para Inserts Sensitive Information into Log File for Facebook authentication
Details

CWE ID: CWE-532 (Insertion of Sensitive Information into Log File) CVSS: 6.2 (Medium) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Component: Facebook Authentication Logging Version: Para v1.50.6 File Path: para-1.50.6/para-server/src/main/java/com/erudika/para/server/security/filters/FacebookAuthFilter.java Vulnerable Line(s): Line 184 (logger.warn(...) with raw access token)

Technical Details:

The vulnerability is located in FacebookAuthFilter.java, where a failed request to Facebook’s user profile endpoint triggers the following log statement:

logger.warn("Facebook auth request failed: GET " + PROFILE_URL + accessToken, e);`

Here, PROFILE_URL is a constant:

private static final String PROFILE_URL = "https://graph.facebook.com/me?fields=name,email,picture.width(400).type(square).height(400)&access_token=";

This results in the full request URL being logged, including the user's access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.erudika:para-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.50.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-49009"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-06T15:49:58Z",
    "nvd_published_at": "2025-06-05T17:15:29Z",
    "severity": "MODERATE"
  },
  "details": "CWE ID: CWE-532 (Insertion of Sensitive Information into Log File)\nCVSS: 6.2 (Medium)\nVector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n\n**Affected Component:** Facebook Authentication Logging\n**Version:** Para v1.50.6\n**File Path:** para-1.50.6/para-server/src/main/java/com/erudika/para/server/security/filters/FacebookAuthFilter.java\n**Vulnerable Line(s):** Line 184 (logger.warn(...) with raw access token)\n\nTechnical Details:\n\nThe vulnerability is located in FacebookAuthFilter.java, where a failed request to Facebook\u2019s user profile endpoint triggers the following log statement:\n```java\nlogger.warn(\"Facebook auth request failed: GET \" + PROFILE_URL + accessToken, e);`\n```\n\nHere, `PROFILE_URL` is a constant:\n```java\nprivate static final String PROFILE_URL = \"https://graph.facebook.com/me?fields=name,email,picture.width(400).type(square).height(400)\u0026access_token=\";\n```\nThis results in the full request URL being logged, including the user\u0027s access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure.",
  "id": "GHSA-qx7g-fx8q-545g",
  "modified": "2025-06-13T15:28:47Z",
  "published": "2025-06-06T15:49:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Erudika/para/security/advisories/GHSA-qx7g-fx8q-545g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49009"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Erudika/para/commit/46a908d887da02037384193f70a69345f04887cf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Erudika/para"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Para Inserts Sensitive Information into Log File for Facebook authentication"
}

GHSA-QXMC-P4V9-VCQQ

Vulnerability from github – Published: 2024-01-01 15:30 – Updated: 2024-01-08 18:30
VLAI
Details

The PayHere Payment Gateway WordPress plugin before 2.2.12 automatically creates publicly-accessible log files containing sensitive information when transactions occur.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6064"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-01T15:15:43Z",
    "severity": "HIGH"
  },
  "details": "The PayHere Payment Gateway WordPress plugin before 2.2.12 automatically creates publicly-accessible log files containing sensitive information when transactions occur.",
  "id": "GHSA-qxmc-p4v9-vcqq",
  "modified": "2024-01-08T18:30:26Z",
  "published": "2024-01-01T15:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6064"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/423c8881-628b-4380-9677-65b3f5165efe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R22F-RMV4-8Q7H

Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2021-12-18 00:01
VLAI
Details

In handleUpdateNetworkState of GnssNetworkConnectivityHandler.java , there is a possible APN disclosure due to log information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-191086488

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0997"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-15T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In handleUpdateNetworkState of GnssNetworkConnectivityHandler.java , there is a possible APN disclosure due to log information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-191086488",
  "id": "GHSA-r22f-rmv4-8q7h",
  "modified": "2021-12-18T00:01:19Z",
  "published": "2021-12-16T00:01:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0997"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2021-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-R24Q-43J9-J222

Vulnerability from github – Published: 2022-03-31 00:00 – Updated: 2022-04-06 00:01
VLAI
Details

In ArrayMap, there is a possible leak of the content of SMS messages due to log information disclosure. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-184525194

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39739"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-30T16:15:00Z",
    "severity": "LOW"
  },
  "details": "In ArrayMap, there is a possible leak of the content of SMS messages due to log information disclosure. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-184525194",
  "id": "GHSA-r24q-43j9-j222",
  "modified": "2022-04-06T00:01:56Z",
  "published": "2022-03-31T00:00:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39739"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/android-12l"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R2PH-VGMF-8GQH

Vulnerability from github – Published: 2024-11-18 06:30 – Updated: 2024-11-18 18:30
VLAI
Details

AnyDesk through 8.1.0 on Windows, when Allow Direct Connections is enabled, inadvertently exposes a public IP address within network traffic. The attacker must know the victim's AnyDesk ID.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-52940"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-18T05:15:05Z",
    "severity": "HIGH"
  },
  "details": "AnyDesk through 8.1.0 on Windows, when Allow Direct Connections is enabled, inadvertently exposes a public IP address within network traffic. The attacker must know the victim\u0027s AnyDesk ID.",
  "id": "GHSA-r2ph-vgmf-8gqh",
  "modified": "2024-11-18T18:30:54Z",
  "published": "2024-11-18T06:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52940"
    },
    {
      "type": "WEB",
      "url": "https://download.anydesk.com/changelog.txt"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ebrasha/abdal-anydesk-remote-ip-detector"
    },
    {
      "type": "WEB",
      "url": "https://x.com/ProfShafiei/status/1850856458017009830"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R33Q-8FQQ-HPHJ

Vulnerability from github – Published: 2022-05-14 02:18 – Updated: 2022-05-14 02:18
VLAI
Details

An issue was discovered on Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys devices, allowing attackers to obtain sensitive information (such as text-message content) by reading a copy of the Android log on the SD card. The system-wide Android logs are not directly available to third-party apps since they tend to contain sensitive data. Third-party apps can read from the log but only the log messages that the app itself has written. Certain apps can leak data to the Android log due to not sanitizing log messages, which is in an insecure programming practice. Pre-installed system apps and apps that are signed with the framework key can read from the system-wide Android log. We found a pre-installed app on the Orbic Wonder that when started via an Intent will write the Android log to the SD card, also known as external storage, via com.ckt.mmitest.MmiMainActivity. Any app that requests the READ_EXTERNAL_STORAGE permission can read from the SD card. Therefore, a local app on the device can quickly start a specific component in the pre-installed system app to have the Android log written to the SD card. Therefore, any app co-located on the device with the READ_EXTERNAL_STORAGE permission can obtain the data contained within the Android log and continually monitor it and mine the log for relevant data. In addition, the default messaging app (com.android.mms) writes the body of sent and received text messages to the Android log, as well as the recipient phone number for sent text messages and the sending phone number for received text messages. In addition, any call data contains phone numbers for sent and received calls.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-6599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-29T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered on Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys devices, allowing attackers to obtain sensitive information (such as text-message content) by reading a copy of the Android log on the SD card. The system-wide Android logs are not directly available to third-party apps since they tend to contain sensitive data. Third-party apps can read from the log but only the log messages that the app itself has written. Certain apps can leak data to the Android log due to not sanitizing log messages, which is in an insecure programming practice. Pre-installed system apps and apps that are signed with the framework key can read from the system-wide Android log. We found a pre-installed app on the Orbic Wonder that when started via an Intent will write the Android log to the SD card, also known as external storage, via com.ckt.mmitest.MmiMainActivity. Any app that requests the READ_EXTERNAL_STORAGE permission can read from the SD card. Therefore, a local app on the device can quickly start a specific component in the pre-installed system app to have the Android log written to the SD card. Therefore, any app co-located on the device with the READ_EXTERNAL_STORAGE permission can obtain the data contained within the Android log and continually monitor it and mine the log for relevant data. In addition, the default messaging app (com.android.mms) writes the body of sent and received text messages to the Android log, as well as the recipient phone number for sent text messages and the sending phone number for received text messages. In addition, any call data contains phone numbers for sent and received calls.",
  "id": "GHSA-r33q-8fqq-hphj",
  "modified": "2022-05-14T02:18:48Z",
  "published": "2022-05-14T02:18:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6599"
    },
    {
      "type": "WEB",
      "url": "https://www.kryptowire.com/portal/android-firmware-defcon-2018"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R35R-RM7G-V9M8

Vulnerability from github – Published: 2026-07-01 18:31 – Updated: 2026-07-01 18:31
VLAI
Details

Insertion of Sensitive Information into Log File (CWE-532) in Kibana can lead to information disclosure. When the optional application performance monitoring (APM) instrumentation is enabled, sensitive request header values could be recorded in application logs, where they may be accessible to operators with log access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-49088"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-01T17:16:35Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of Sensitive Information into Log File (CWE-532) in Kibana can lead to information disclosure. When the optional application performance monitoring (APM) instrumentation is enabled, sensitive request header values could be recorded in application logs, where they may be accessible to operators with log access.",
  "id": "GHSA-r35r-rm7g-v9m8",
  "modified": "2026-07-01T18:31:54Z",
  "published": "2026-07-01T18:31:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49088"
    },
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/kibana-8-18-9-8-19-6-9-0-8-9-1-6-security-update-esa-2026-50"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.