CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1742 vulnerabilities reference this CWE, most recent first.
GHSA-R7MG-Q5MV-QG2V
Vulnerability from github – Published: 2025-12-18 15:30 – Updated: 2025-12-18 15:30The Hummingbird Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.18.0 via the 'request' function. This makes it possible for unauthenticated attackers to extract sensitive data including Cloudflare API credentials.
{
"affected": [],
"aliases": [
"CVE-2025-14437"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-18T13:15:47Z",
"severity": "HIGH"
},
"details": "The Hummingbird Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.18.0 via the \u0027request\u0027 function. This makes it possible for unauthenticated attackers to extract sensitive data including Cloudflare API credentials.",
"id": "GHSA-r7mg-q5mv-qg2v",
"modified": "2025-12-18T15:30:43Z",
"published": "2025-12-18T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14437"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3421187/hummingbird-performance"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8755ab3f-ee77-44ea-8620-590f1f1cb333?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R87R-6J6C-XX59
Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2022-03-19 00:01Information Exposure vulnerability in Galaxy S3 Plugin prior to version 2.2.03.22012751 allows attacker to access password information of connected WiFiAp in the log
{
"affected": [],
"aliases": [
"CVE-2022-25826"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-10T17:47:00Z",
"severity": "LOW"
},
"details": "Information Exposure vulnerability in Galaxy S3 Plugin prior to version 2.2.03.22012751 allows attacker to access password information of connected WiFiAp in the log",
"id": "GHSA-r87r-6j6c-xx59",
"modified": "2022-03-19T00:01:33Z",
"published": "2022-03-11T00:02:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25826"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R8MH-6H4V-V5RM
Vulnerability from github – Published: 2022-10-07 18:15 – Updated: 2022-10-11 19:00Insertion of Sensitive Information into Log in PushRegIdUpdateClient of SReminder prior to 8.2.01.13 allows attacker to access device IMEI.
{
"affected": [],
"aliases": [
"CVE-2022-39876"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-07T15:15:00Z",
"severity": "LOW"
},
"details": "Insertion of Sensitive Information into Log in PushRegIdUpdateClient of SReminder prior to 8.2.01.13 allows attacker to access device IMEI.",
"id": "GHSA-r8mh-6h4v-v5rm",
"modified": "2022-10-11T19:00:27Z",
"published": "2022-10-07T18:15:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39876"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R942-7MJ9-P58W
Vulnerability from github – Published: 2026-02-12 00:31 – Updated: 2026-02-12 18:30The issue was resolved by sanitizing logging. This issue is fixed in iOS 26.3 and iPadOS 26.3, iOS 18.7.5 and iPadOS 18.7.5. An app may be able to enumerate a user's installed apps.
{
"affected": [],
"aliases": [
"CVE-2026-20663"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T23:16:08Z",
"severity": "LOW"
},
"details": "The issue was resolved by sanitizing logging. This issue is fixed in iOS 26.3 and iPadOS 26.3, iOS 18.7.5 and iPadOS 18.7.5. An app may be able to enumerate a user\u0027s installed apps.",
"id": "GHSA-r942-7mj9-p58w",
"modified": "2026-02-12T18:30:23Z",
"published": "2026-02-12T00:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20663"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126346"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126347"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R96M-RQ4F-96V2
Vulnerability from github – Published: 2021-12-22 00:00 – Updated: 2022-10-16 19:00Dell EMC Avamar versions 18.2,19.1,19.2,19.3,19.4 contain a plain-text password storage vulnerability. A high privileged user could potentially exploit this vulnerability, leading to a complete outage.
{
"affected": [],
"aliases": [
"CVE-2021-36318"
],
"database_specific": {
"cwe_ids": [
"CWE-522",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-21T17:15:00Z",
"severity": "MODERATE"
},
"details": "Dell EMC Avamar versions 18.2,19.1,19.2,19.3,19.4 contain a plain-text password storage vulnerability. A high privileged user could potentially exploit this vulnerability, leading to a complete outage.",
"id": "GHSA-r96m-rq4f-96v2",
"modified": "2022-10-16T19:00:30Z",
"published": "2021-12-22T00:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36318"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202210-09"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000193369"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R96X-G4H4-74Q6
Vulnerability from github – Published: 2022-05-13 01:08 – Updated: 2022-05-13 01:08An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.
{
"affected": [],
"aliases": [
"CVE-2019-8944"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-20T03:29:00Z",
"severity": "MODERATE"
},
"details": "An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.",
"id": "GHSA-r96x-g4h4-74q6",
"modified": "2022-05-13T01:08:17Z",
"published": "2022-05-13T01:08:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8944"
},
{
"type": "WEB",
"url": "https://github.com/OctopusDeploy/Issues/issues/5314"
},
{
"type": "WEB",
"url": "https://github.com/OctopusDeploy/Issues/issues/5315"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R9RQ-9R78-P9GM
Vulnerability from github – Published: 2023-05-10 15:30 – Updated: 2024-04-04 04:00Insertion of sensitive information into log file in the Open CAS software for Linux maintained by Intel before version 22.6.2 may allow a privileged user to potentially enable information disclosure via local access.
{
"affected": [],
"aliases": [
"CVE-2023-22447"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-10T14:15:28Z",
"severity": "MODERATE"
},
"details": "Insertion of sensitive information into log file in the Open CAS software for Linux maintained by Intel before version 22.6.2 may allow a privileged user to potentially enable information disclosure via local access.",
"id": "GHSA-r9rq-9r78-p9gm",
"modified": "2024-04-04T04:00:33Z",
"published": "2023-05-10T15:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22447"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00827.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RC54-2G2C-G36G
Vulnerability from github – Published: 2025-10-22 19:55 – Updated: 2025-10-23 17:40Impact
OpenBao's audit log did not appropriately redact fields when relevant subsystems sent []byte response parameters rather than strings. This includes, but is not limited to:
sys/rawwith use ofencoding=base64, all data would be emitted unredacted to the audit log.- Transit, when performing a signing operation with a derived Ed25519 key, would emit public keys to the audit log.
Third-party plugins may be affected.
This issue has been present since HashiCorp Vault and continues to impact Vault as of v1.20.4.
Patches
OpenBao v2.4.2 will patch this issue.
Workarounds
If users do not use the above functionality, they are not impacted. To prohibit the use of sys/raw globally, ensure raw_storage_endpoint=false is set or missing from the server configuration.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20251022165510-cc2c476bac66"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62705"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-22T19:55:40Z",
"nvd_published_at": "2025-10-22T22:15:35Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nOpenBao\u0027s audit log did not appropriately redact fields when relevant subsystems sent `[]byte` response parameters rather than `string`s. This includes, but is not limited to:\n\n- `sys/raw` with use of `encoding=base64`, all data would be emitted unredacted to the audit log.\n- Transit, when performing a signing operation with a derived Ed25519 key, would emit public keys to the audit log.\n\nThird-party plugins may be affected.\n\nThis issue has been present since HashiCorp Vault and continues to impact Vault as of v1.20.4. \n\n### Patches\n\nOpenBao v2.4.2 will patch this issue.\n\n### Workarounds\n\nIf users do not use the above functionality, they are not impacted. To prohibit the use of `sys/raw` globally, ensure `raw_storage_endpoint=false` is set or missing from the server configuration.",
"id": "GHSA-rc54-2g2c-g36g",
"modified": "2025-10-23T17:40:56Z",
"published": "2025-10-22T19:55:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/security/advisories/GHSA-rc54-2g2c-g36g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62705"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/commit/cc2c476bac66e1d94776c2629793daec3af625f8"
},
{
"type": "PACKAGE",
"url": "https://github.com/openbao/openbao"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenBao and Vault Leak []byte Fields in Audit Logs "
}
GHSA-RC5C-4C27-CG98
Vulnerability from github – Published: 2022-05-12 00:01 – Updated: 2022-05-20 00:00Under certain conditions, the SAP Host Agent logfile shows information which would otherwise be restricted.
{
"affected": [],
"aliases": [
"CVE-2022-28774"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-11T15:15:00Z",
"severity": "MODERATE"
},
"details": "Under certain conditions, the SAP Host Agent logfile shows information which would otherwise be restricted.",
"id": "GHSA-rc5c-4c27-cg98",
"modified": "2022-05-20T00:00:40Z",
"published": "2022-05-12T00:01:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28774"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3158188"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RCQJ-3FMP-5CQX
Vulnerability from github – Published: 2025-04-09 12:30 – Updated: 2025-07-15 23:07Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs.
This vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability's impact is limited by the fact that an attacker would need access to the application logs to exploit this issue.
This issue affects Apache Pulsar IO's Apache Kafka connectors in all versions before 3.0.11, 3.3.6, and 4.0.4.
3.0.x version users should upgrade to at least 3.0.11.
3.3.x version users should upgrade to at least 3.3.6.
4.0.x version users should upgrade to at least 4.0.4.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.pulsar:pulsar-io-kafka-connect-adaptor"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.pulsar:pulsar-io-kafka-connect-adaptor"
},
"ranges": [
{
"events": [
{
"introduced": "3.3.0"
},
{
"fixed": "3.3.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.pulsar:pulsar-io-kafka-connect-adaptor"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.pulsar:pulsar-io-kafka"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.pulsar:pulsar-io-kafka"
},
"ranges": [
{
"events": [
{
"introduced": "3.3.0"
},
{
"fixed": "3.3.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.pulsar:pulsar-io-kafka"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-30677"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-10T12:41:56Z",
"nvd_published_at": "2025-04-09T12:15:15Z",
"severity": "MODERATE"
},
"details": "Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs.\n\n\nThis vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability\u0027s impact is limited by the fact that an attacker would need access to the application logs to exploit this issue.\n\nThis issue affects Apache Pulsar IO\u0027s Apache Kafka connectors in all versions before 3.0.11, 3.3.6, and 4.0.4.\n\n\n3.0.x version users should upgrade to at least 3.0.11.\n\n3.3.x version users should upgrade to at least 3.3.6.\n\n4.0.x version users should upgrade to at least 4.0.4.\n\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.",
"id": "GHSA-rcqj-3fmp-5cqx",
"modified": "2025-07-15T23:07:45Z",
"published": "2025-04-09T12:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30677"
},
{
"type": "WEB",
"url": "https://github.com/apache/pulsar/pull/24128"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/pulsar"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/zv5fwwrh374r1p5cmksxcd40ssxxko3d"
},
{
"type": "WEB",
"url": "https://pulsar.apache.org/security"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/04/09/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Apache Pulsar Kafka Connector Logs Sensitive Information in Application Logs"
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.