CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1739 vulnerabilities reference this CWE, most recent first.
GHSA-V4PF-63WF-QFWW
Vulnerability from github – Published: 2022-11-16 12:00 – Updated: 2022-11-18 00:30Information Exposure Through Log Files vulnerability discovered in Foundry when logs were captured using an underlying library known as Build2. This issue was present in versions earlier than 1.785.0. Upgrade to Build2 version 1.785.0 or greater.
{
"affected": [],
"aliases": [
"CVE-2022-27895"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-15T20:15:00Z",
"severity": "HIGH"
},
"details": "Information Exposure Through Log Files vulnerability discovered in Foundry when logs were captured using an underlying library known as Build2. This issue was present in versions earlier than 1.785.0. Upgrade to Build2 version 1.785.0 or greater.",
"id": "GHSA-v4pf-63wf-qfww",
"modified": "2022-11-18T00:30:18Z",
"published": "2022-11-16T12:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27895"
},
{
"type": "WEB",
"url": "https://github.com/palantir/security-bulletins/blob/main/PLTRSEC-2022-06.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V554-XWGW-HC3W
Vulnerability from github – Published: 2024-05-15 17:09 – Updated: 2024-05-15 19:30Impact
When source-controller is configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires.
Patches
This vulnerability was fixed in source-controller v1.2.5.
Workarounds
There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.
Credits
This issue was reported and fixed by Jagpreet Singh Tamber (@jagpreetstamber) from the Azure Arc team.
References
https://github.com/fluxcd/source-controller/pull/1430
For more information
If you have any questions or comments about this advisory:
- Open an issue in the source-controller repository.
- Contact us at the CNCF Flux Channel.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/fluxcd/source-controller"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-31216"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-15T17:09:24Z",
"nvd_published_at": "2024-05-15T16:15:10Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nWhen source-controller is configured to use an [Azure SAS token](https://v2-2.docs.fluxcd.io/flux/components/source/buckets/#azure-blob-sas-token-example) when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires.\n\n### Patches\n\nThis vulnerability was fixed in source-controller **v1.2.5**.\n\n### Workarounds\n\nThere is no workaround for this vulnerability except for using a different auth mechanism such as [Azure Workload Identity](https://v2-2.docs.fluxcd.io/flux/components/source/buckets/#azure). \n\n### Credits\n\nThis issue was reported and fixed by Jagpreet Singh Tamber (@jagpreetstamber) from the Azure Arc team.\n\n### References\n\nhttps://github.com/fluxcd/source-controller/pull/1430\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open an issue in the source-controller repository.\n- Contact us at the CNCF Flux Channel.\n",
"id": "GHSA-v554-xwgw-hc3w",
"modified": "2024-05-15T19:30:09Z",
"published": "2024-05-15T17:09:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31216"
},
{
"type": "WEB",
"url": "https://github.com/fluxcd/source-controller/pull/1430"
},
{
"type": "WEB",
"url": "https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9"
},
{
"type": "PACKAGE",
"url": "https://github.com/fluxcd/source-controller"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "source-controller leaks Azure Storage SAS token into logs"
}
GHSA-V5J2-W836-Q3P2
Vulnerability from github – Published: 2022-06-08 00:00 – Updated: 2022-06-12 00:00Sensitive information exposure in Sign-in log in Samsung Account prior to version 13.2.00.6 allows attackers to get an user email or phone number without permission.
{
"affected": [],
"aliases": [
"CVE-2022-30733"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-07T19:15:00Z",
"severity": "MODERATE"
},
"details": "Sensitive information exposure in Sign-in log in Samsung Account prior to version 13.2.00.6 allows attackers to get an user email or phone number without permission.",
"id": "GHSA-v5j2-w836-q3p2",
"modified": "2022-06-12T00:00:45Z",
"published": "2022-06-08T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30733"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V5W4-FVFM-37M6
Vulnerability from github – Published: 2025-01-14 18:32 – Updated: 2025-01-14 18:32Windows Kernel Memory Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2025-21323"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-14T18:15:56Z",
"severity": "MODERATE"
},
"details": "Windows Kernel Memory Information Disclosure Vulnerability",
"id": "GHSA-v5w4-fvfm-37m6",
"modified": "2025-01-14T18:32:04Z",
"published": "2025-01-14T18:32:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21323"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21323"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V6FX-59RV-2M7Q
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45Information Exposure vulnerability in Samsung Account prior to version 12.1.1.3 allows physically proximate attackers to access user information via log.
{
"affected": [],
"aliases": [
"CVE-2021-25350"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-25T17:15:00Z",
"severity": "LOW"
},
"details": "Information Exposure vulnerability in Samsung Account prior to version 12.1.1.3 allows physically proximate attackers to access user information via log.",
"id": "GHSA-v6fx-59rv-2m7q",
"modified": "2022-05-24T17:45:23Z",
"published": "2022-05-24T17:45:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25350"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V6MG-7F7P-QMQP
Vulnerability from github – Published: 2024-06-04 17:52 – Updated: 2024-06-04 17:52Summary
Exposure of HTTP basic auth credentials from repository and keyring URLs in log output
Details
There was a handful of instances where the apko tool was outputting error messages and log entries where HTTP basic authentication credentials were exposed for one of two reasons:
- The
%sverb was used to format aurl.URLas a string, which includes un-redacted HTTP basic authentication credentials if they are included in the URL. - A string URL value (such as from the configuration YAML file supplied used in an apko execution) was never parsed as a URL, so there was no chance of redacting credentials in the logical flow.
apko, as well as its companion library go-apk, have been updated to ensure URLs are parsed and redacted before being output as string values.
PoC
Create a config file like this apko.yaml:
contents:
keyring:
- https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
repositories:
- https://me%40example.com:supersecretpassword@localhost:8080/os
packages:
- wolfi-base
cmd: /bin/sh -l
archs:
- x86_64
- aarch64
Then run:
apko build apko.yaml latest foo.tar --log-level debug
Observe instances of the password being shown verbatim in the log output, such as:
...
DEBU image configuration:
contents:
repositories:
- https://me%40example.com:supersecretpassword@localhost:8080/os
keyring:
- https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
packages:
- wolfi-base
...
Impact
For users accessing keyring or APK repository content using HTTP basic auth, credentials were being logged in plaintext, depending on the user's logging settings. If you use apko in continuous integration jobs, it is likely that the credentials leak via logs of these jobs. Depending on the accessibility of these logs, this could be a company-internal or public leakage of credentials.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "chainguard.dev/apko"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.14.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-36127"
],
"database_specific": {
"cwe_ids": [
"CWE-522",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-04T17:52:15Z",
"nvd_published_at": "2024-06-03T15:15:09Z",
"severity": "HIGH"
},
"details": "### Summary\n\nExposure of HTTP basic auth credentials from repository and keyring URLs in log output\n\n### Details\n\nThere was a handful of instances where the `apko` tool was outputting error messages and log entries where HTTP basic authentication credentials were exposed for one of two reasons:\n\n1. The`%s` verb was used to format a `url.URL` as a string, which includes un-redacted HTTP basic authentication credentials if they are included in the URL.\n2. A string URL value (such as from the configuration YAML file supplied used in an apko execution) was never parsed as a URL, so there was no chance of redacting credentials in the logical flow.\n\napko, as well as its companion library `go-apk`, have been updated to ensure URLs are parsed and redacted before being output as string values.\n\n### PoC\n\nCreate a config file like this `apko.yaml`:\n\n```yaml\ncontents:\n keyring:\n - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub\n repositories:\n - https://me%40example.com:supersecretpassword@localhost:8080/os\n packages:\n - wolfi-base\n\ncmd: /bin/sh -l\n\narchs:\n- x86_64\n- aarch64\n```\n\nThen run:\n\n```shell\napko build apko.yaml latest foo.tar --log-level debug\n```\n\nObserve instances of the password being shown verbatim in the log output, such as:\n\n```text\n...\nDEBU image configuration:\ncontents:\n repositories:\n - https://me%40example.com:supersecretpassword@localhost:8080/os\n keyring:\n - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub\n packages:\n - wolfi-base\n...\n```\n\n### Impact\n\nFor users accessing keyring or APK repository content using HTTP basic auth, credentials were being logged in plaintext, depending on the user\u0027s logging settings. If you use apko in continuous integration jobs, it is likely that the credentials leak via logs of these jobs. Depending on the accessibility of these logs, this could be a company-internal or public leakage of credentials.",
"id": "GHSA-v6mg-7f7p-qmqp",
"modified": "2024-06-04T17:52:15Z",
"published": "2024-06-04T17:52:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-v6mg-7f7p-qmqp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36127"
},
{
"type": "WEB",
"url": "https://github.com/chainguard-dev/apko/commit/2c0533e4d52e83031a04f6a83ec63fc2a11eff01"
},
{
"type": "PACKAGE",
"url": "https://github.com/chainguard-dev/apko"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "apko Exposure of HTTP basic auth credentials in log output"
}
GHSA-V6V8-XJ6M-XWQH
Vulnerability from github – Published: 2024-06-24 18:31 – Updated: 2024-06-26 19:31go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/go-retryablehttp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-6104"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-24T21:32:07Z",
"nvd_published_at": "2024-06-24T17:15:11Z",
"severity": "MODERATE"
},
"details": "go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.",
"id": "GHSA-v6v8-xj6m-xwqh",
"modified": "2024-06-26T19:31:28Z",
"published": "2024-06-24T18:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6104"
},
{
"type": "WEB",
"url": "https://github.com/hashicorp/go-retryablehttp/commit/a99f07beb3c5faaa0a283617e6eb6bcf25f5049a"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/c/security"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2024-12-go-retryablehttp-can-leak-basic-auth-credentials-to-log-files/68027"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-v6v8-xj6m-xwqh"
},
{
"type": "PACKAGE",
"url": "https://github.com/hashicorp/go-retryablehttp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "go-retryablehttp can leak basic auth credentials to log files"
}
GHSA-V725-XJ67-9V99
Vulnerability from github – Published: 2023-10-17 12:30 – Updated: 2024-04-04 08:42Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged.
{
"affected": [],
"aliases": [
"CVE-2023-5339"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-17T10:15:10Z",
"severity": "MODERATE"
},
"details": "Mattermost Desktop\u00a0fails to set an appropriate log level during initial run after fresh installation\u00a0resulting in logging all keystrokes\u00a0including password entry\u00a0being logged.\u00a0\n\n",
"id": "GHSA-v725-xj67-9v99",
"modified": "2024-04-04T08:42:55Z",
"published": "2023-10-17T12:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5339"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V735-2PP6-H86R
Vulnerability from github – Published: 2022-05-14 01:14 – Updated: 2024-09-04 19:38Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0a1"
},
{
"fixed": "2.7.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0a1"
},
{
"fixed": "2.6.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-16859"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-22T22:07:45Z",
"nvd_published_at": "2018-11-29T18:29:00Z",
"severity": "MODERATE"
},
"details": "Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for \u0027become\u0027 passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.",
"id": "GHSA-v735-2pp6-h86r",
"modified": "2024-09-04T19:38:45Z",
"published": "2022-05-14T01:14:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16859"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/pull/49142"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/0d746b4198abf84290a093b83cf02b4203d73d9f"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/2f8d3fcf41107efafc14d51ab6e14531ca8f8c87"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/4d748d34f9392aa469da00a85c8e2d5fe6cec52b"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3770"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3771"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3772"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3773"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16859"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansible/ansible"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/blob/v2.5.13/changelogs/CHANGELOG-v2.5.rst"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-60.yaml"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200227102121/http://www.securityfocus.com/bid/106004"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Ansible Logs Passwords If PowerShell ScriptBlock is Enabled"
}
GHSA-V75G-77VF-6JJQ
Vulnerability from github – Published: 2025-05-30 20:01 – Updated: 2025-06-03 01:10CWE ID: CWE-532 (Insertion of Sensitive Information into Log File) CVSS: 7.5 (High) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Component: Para Server Initialization Logging
Version: Para v1.50.6
File Path: para-1.50.6/para-server/src/main/java/com/erudika/para/server/utils/HealthUtils.java
Vulnerable Line(s): Line 132 (via logger.info(...) with root credentials)
Technical Details:
The vulnerability is located in the HealthUtils.java file, where a failed configuration file write triggers the following logging statement:
logger.info("Initialized root app with access key '{}' and secret '{}', but could not write these to {}.",
rootAppCredentials.get("accessKey"),
rootAppCredentials.get("secretKey"),
confFile);
This exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.erudika:para-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.50.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48955"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-30T20:01:10Z",
"nvd_published_at": "2025-06-02T12:15:25Z",
"severity": "MODERATE"
},
"details": "CWE ID: CWE-532 (Insertion of Sensitive Information into Log File)\nCVSS: 7.5 (High)\nVector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n\n**Affected Component:** Para Server Initialization Logging\n**Version:** Para v1.50.6\n**File Path:** `para-1.50.6/para-server/src/main/java/com/erudika/para/server/utils/HealthUtils.java`\n**Vulnerable Line(s):** Line 132 (via `logger.info(...)` with root credentials)\n\nTechnical Details:\n\nThe vulnerability is located in the HealthUtils.java file, where a failed configuration file write triggers the following logging statement:\n```java\nlogger.info(\"Initialized root app with access key \u0027{}\u0027 and secret \u0027{}\u0027, but could not write these to {}.\",\n rootAppCredentials.get(\"accessKey\"),\n rootAppCredentials.get(\"secretKey\"),\n confFile);\n```\nThis exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes.",
"id": "GHSA-v75g-77vf-6jjq",
"modified": "2025-06-03T01:10:53Z",
"published": "2025-05-30T20:01:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Erudika/para/security/advisories/GHSA-v75g-77vf-6jjq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48955"
},
{
"type": "WEB",
"url": "https://github.com/Erudika/para/commit/1e8a89558542854bb0683ab234c4429ad93b0835"
},
{
"type": "PACKAGE",
"url": "https://github.com/Erudika/para"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Para Server Logs Sensitive Information"
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.