Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1739 vulnerabilities reference this CWE, most recent first.

GHSA-V4PF-63WF-QFWW

Vulnerability from github – Published: 2022-11-16 12:00 – Updated: 2022-11-18 00:30
VLAI
Details

Information Exposure Through Log Files vulnerability discovered in Foundry when logs were captured using an underlying library known as Build2. This issue was present in versions earlier than 1.785.0. Upgrade to Build2 version 1.785.0 or greater.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-27895"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-15T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Information Exposure Through Log Files vulnerability discovered in Foundry when logs were captured using an underlying library known as Build2. This issue was present in versions earlier than 1.785.0. Upgrade to Build2 version 1.785.0 or greater.",
  "id": "GHSA-v4pf-63wf-qfww",
  "modified": "2022-11-18T00:30:18Z",
  "published": "2022-11-16T12:00:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27895"
    },
    {
      "type": "WEB",
      "url": "https://github.com/palantir/security-bulletins/blob/main/PLTRSEC-2022-06.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V554-XWGW-HC3W

Vulnerability from github – Published: 2024-05-15 17:09 – Updated: 2024-05-15 19:30
VLAI
Summary
source-controller leaks Azure Storage SAS token into logs
Details

Impact

When source-controller is configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires.

Patches

This vulnerability was fixed in source-controller v1.2.5.

Workarounds

There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.

Credits

This issue was reported and fixed by Jagpreet Singh Tamber (@jagpreetstamber) from the Azure Arc team.

References

https://github.com/fluxcd/source-controller/pull/1430

For more information

If you have any questions or comments about this advisory:

  • Open an issue in the source-controller repository.
  • Contact us at the CNCF Flux Channel.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fluxcd/source-controller"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-31216"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-15T17:09:24Z",
    "nvd_published_at": "2024-05-15T16:15:10Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWhen source-controller is configured to use an [Azure SAS token](https://v2-2.docs.fluxcd.io/flux/components/source/buckets/#azure-blob-sas-token-example) when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires.\n\n### Patches\n\nThis vulnerability was fixed in source-controller **v1.2.5**.\n\n### Workarounds\n\nThere is no workaround for this vulnerability except for using a different auth mechanism such as [Azure Workload Identity](https://v2-2.docs.fluxcd.io/flux/components/source/buckets/#azure). \n\n### Credits\n\nThis issue was reported and fixed by Jagpreet Singh Tamber (@jagpreetstamber) from the Azure Arc team.\n\n### References\n\nhttps://github.com/fluxcd/source-controller/pull/1430\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open an issue in the source-controller repository.\n- Contact us at the CNCF Flux Channel.\n",
  "id": "GHSA-v554-xwgw-hc3w",
  "modified": "2024-05-15T19:30:09Z",
  "published": "2024-05-15T17:09:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31216"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fluxcd/source-controller/pull/1430"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fluxcd/source-controller"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "source-controller leaks Azure Storage SAS token into logs"
}

GHSA-V5J2-W836-Q3P2

Vulnerability from github – Published: 2022-06-08 00:00 – Updated: 2022-06-12 00:00
VLAI
Details

Sensitive information exposure in Sign-in log in Samsung Account prior to version 13.2.00.6 allows attackers to get an user email or phone number without permission.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30733"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-07T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Sensitive information exposure in Sign-in log in Samsung Account prior to version 13.2.00.6 allows attackers to get an user email or phone number without permission.",
  "id": "GHSA-v5j2-w836-q3p2",
  "modified": "2022-06-12T00:00:45Z",
  "published": "2022-06-08T00:00:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30733"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5W4-FVFM-37M6

Vulnerability from github – Published: 2025-01-14 18:32 – Updated: 2025-01-14 18:32
VLAI
Details

Windows Kernel Memory Information Disclosure Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21323"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-14T18:15:56Z",
    "severity": "MODERATE"
  },
  "details": "Windows Kernel Memory Information Disclosure Vulnerability",
  "id": "GHSA-v5w4-fvfm-37m6",
  "modified": "2025-01-14T18:32:04Z",
  "published": "2025-01-14T18:32:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21323"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21323"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V6FX-59RV-2M7Q

Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45
VLAI
Details

Information Exposure vulnerability in Samsung Account prior to version 12.1.1.3 allows physically proximate attackers to access user information via log.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25350"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-25T17:15:00Z",
    "severity": "LOW"
  },
  "details": "Information Exposure vulnerability in Samsung Account prior to version 12.1.1.3 allows physically proximate attackers to access user information via log.",
  "id": "GHSA-v6fx-59rv-2m7q",
  "modified": "2022-05-24T17:45:23Z",
  "published": "2022-05-24T17:45:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25350"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V6MG-7F7P-QMQP

Vulnerability from github – Published: 2024-06-04 17:52 – Updated: 2024-06-04 17:52
VLAI
Summary
apko Exposure of HTTP basic auth credentials in log output
Details

Summary

Exposure of HTTP basic auth credentials from repository and keyring URLs in log output

Details

There was a handful of instances where the apko tool was outputting error messages and log entries where HTTP basic authentication credentials were exposed for one of two reasons:

  1. The%s verb was used to format a url.URL as a string, which includes un-redacted HTTP basic authentication credentials if they are included in the URL.
  2. A string URL value (such as from the configuration YAML file supplied used in an apko execution) was never parsed as a URL, so there was no chance of redacting credentials in the logical flow.

apko, as well as its companion library go-apk, have been updated to ensure URLs are parsed and redacted before being output as string values.

PoC

Create a config file like this apko.yaml:

contents:
  keyring:
    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
  repositories:
    - https://me%40example.com:supersecretpassword@localhost:8080/os
  packages:
    - wolfi-base

cmd: /bin/sh -l

archs:
- x86_64
- aarch64

Then run:

apko build apko.yaml latest foo.tar --log-level debug

Observe instances of the password being shown verbatim in the log output, such as:

...
DEBU image configuration:
contents:
    repositories:
        - https://me%40example.com:supersecretpassword@localhost:8080/os
    keyring:
        - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
    packages:
        - wolfi-base
...

Impact

For users accessing keyring or APK repository content using HTTP basic auth, credentials were being logged in plaintext, depending on the user's logging settings. If you use apko in continuous integration jobs, it is likely that the credentials leak via logs of these jobs. Depending on the accessibility of these logs, this could be a company-internal or public leakage of credentials.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "chainguard.dev/apko"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-36127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-04T17:52:15Z",
    "nvd_published_at": "2024-06-03T15:15:09Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nExposure of HTTP basic auth credentials from repository and keyring URLs in log output\n\n### Details\n\nThere was a handful of instances where the `apko` tool was outputting error messages and log entries where HTTP basic authentication credentials were exposed for one of two reasons:\n\n1. The`%s` verb was used to format a `url.URL` as a string, which includes un-redacted HTTP basic authentication credentials if they are included in the URL.\n2. A string URL value (such as from the configuration YAML file supplied used in an apko execution) was never parsed as a URL, so there was no chance of redacting credentials in the logical flow.\n\napko, as well as its companion library `go-apk`, have been updated to ensure URLs are parsed and redacted before being output as string values.\n\n### PoC\n\nCreate a config file like this `apko.yaml`:\n\n```yaml\ncontents:\n  keyring:\n    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub\n  repositories:\n    - https://me%40example.com:supersecretpassword@localhost:8080/os\n  packages:\n    - wolfi-base\n\ncmd: /bin/sh -l\n\narchs:\n- x86_64\n- aarch64\n```\n\nThen run:\n\n```shell\napko build apko.yaml latest foo.tar --log-level debug\n```\n\nObserve instances of the password being shown verbatim in the log output, such as:\n\n```text\n...\nDEBU image configuration:\ncontents:\n    repositories:\n        - https://me%40example.com:supersecretpassword@localhost:8080/os\n    keyring:\n        - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub\n    packages:\n        - wolfi-base\n...\n```\n\n### Impact\n\nFor users accessing keyring or APK repository content using HTTP basic auth, credentials were being logged in plaintext, depending on the user\u0027s logging settings. If you use apko in continuous integration jobs, it is likely that the credentials leak via logs of these jobs. Depending on the accessibility of these logs, this could be a company-internal or public leakage of credentials.",
  "id": "GHSA-v6mg-7f7p-qmqp",
  "modified": "2024-06-04T17:52:15Z",
  "published": "2024-06-04T17:52:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-v6mg-7f7p-qmqp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36127"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chainguard-dev/apko/commit/2c0533e4d52e83031a04f6a83ec63fc2a11eff01"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/chainguard-dev/apko"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "apko Exposure of HTTP basic auth credentials in log output"
}

GHSA-V6V8-XJ6M-XWQH

Vulnerability from github – Published: 2024-06-24 18:31 – Updated: 2024-06-26 19:31
VLAI
Summary
go-retryablehttp can leak basic auth credentials to log files
Details

go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/go-retryablehttp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-6104"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-24T21:32:07Z",
    "nvd_published_at": "2024-06-24T17:15:11Z",
    "severity": "MODERATE"
  },
  "details": "go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.",
  "id": "GHSA-v6v8-xj6m-xwqh",
  "modified": "2024-06-26T19:31:28Z",
  "published": "2024-06-24T18:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6104"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/go-retryablehttp/commit/a99f07beb3c5faaa0a283617e6eb6bcf25f5049a"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/c/security"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2024-12-go-retryablehttp-can-leak-basic-auth-credentials-to-log-files/68027"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-v6v8-xj6m-xwqh"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hashicorp/go-retryablehttp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "go-retryablehttp can leak basic auth credentials to log files"
}

GHSA-V725-XJ67-9V99

Vulnerability from github – Published: 2023-10-17 12:30 – Updated: 2024-04-04 08:42
VLAI
Details

Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged. 

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5339"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-17T10:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Mattermost Desktop\u00a0fails to set an appropriate log level during initial run after fresh installation\u00a0resulting in logging all keystrokes\u00a0including password entry\u00a0being logged.\u00a0\n\n",
  "id": "GHSA-v725-xj67-9v99",
  "modified": "2024-04-04T08:42:55Z",
  "published": "2023-10-17T12:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5339"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V735-2PP6-H86R

Vulnerability from github – Published: 2022-05-14 01:14 – Updated: 2024-09-04 19:38
VLAI
Summary
Ansible Logs Passwords If PowerShell ScriptBlock is Enabled
Details

Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0a1"
            },
            {
              "fixed": "2.7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0a1"
            },
            {
              "fixed": "2.6.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-16859"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-22T22:07:45Z",
    "nvd_published_at": "2018-11-29T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for \u0027become\u0027 passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.",
  "id": "GHSA-v735-2pp6-h86r",
  "modified": "2024-09-04T19:38:45Z",
  "published": "2022-05-14T01:14:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16859"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/pull/49142"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/0d746b4198abf84290a093b83cf02b4203d73d9f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/2f8d3fcf41107efafc14d51ab6e14531ca8f8c87"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/4d748d34f9392aa469da00a85c8e2d5fe6cec52b"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3770"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3771"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3772"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3773"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16859"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/blob/v2.5.13/changelogs/CHANGELOG-v2.5.rst"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-60.yaml"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200227102121/http://www.securityfocus.com/bid/106004"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Ansible Logs Passwords If PowerShell ScriptBlock is Enabled"
}

GHSA-V75G-77VF-6JJQ

Vulnerability from github – Published: 2025-05-30 20:01 – Updated: 2025-06-03 01:10
VLAI
Summary
Para Server Logs Sensitive Information
Details

CWE ID: CWE-532 (Insertion of Sensitive Information into Log File) CVSS: 7.5 (High) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Component: Para Server Initialization Logging Version: Para v1.50.6 File Path: para-1.50.6/para-server/src/main/java/com/erudika/para/server/utils/HealthUtils.java Vulnerable Line(s): Line 132 (via logger.info(...) with root credentials)

Technical Details:

The vulnerability is located in the HealthUtils.java file, where a failed configuration file write triggers the following logging statement:

logger.info("Initialized root app with access key '{}' and secret '{}', but could not write these to {}.",
    rootAppCredentials.get("accessKey"),
    rootAppCredentials.get("secretKey"),
    confFile);

This exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.erudika:para-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.50.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48955"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-30T20:01:10Z",
    "nvd_published_at": "2025-06-02T12:15:25Z",
    "severity": "MODERATE"
  },
  "details": "CWE ID: CWE-532 (Insertion of Sensitive Information into Log File)\nCVSS:  7.5 (High)\nVector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n\n**Affected Component:** Para Server Initialization Logging\n**Version:** Para v1.50.6\n**File Path:** `para-1.50.6/para-server/src/main/java/com/erudika/para/server/utils/HealthUtils.java`\n**Vulnerable Line(s):** Line 132 (via `logger.info(...)` with root credentials)\n\nTechnical Details:\n\nThe vulnerability is located in the HealthUtils.java file, where a failed configuration file write triggers the following logging statement:\n```java\nlogger.info(\"Initialized root app with access key \u0027{}\u0027 and secret \u0027{}\u0027, but could not write these to {}.\",\n    rootAppCredentials.get(\"accessKey\"),\n    rootAppCredentials.get(\"secretKey\"),\n    confFile);\n```\nThis exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes.",
  "id": "GHSA-v75g-77vf-6jjq",
  "modified": "2025-06-03T01:10:53Z",
  "published": "2025-05-30T20:01:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Erudika/para/security/advisories/GHSA-v75g-77vf-6jjq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48955"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Erudika/para/commit/1e8a89558542854bb0683ab234c4429ad93b0835"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Erudika/para"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Para Server Logs Sensitive Information"
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.