Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1739 vulnerabilities reference this CWE, most recent first.

GHSA-WF66-MPHR-4C4R

Vulnerability from github – Published: 2026-04-20 15:31 – Updated: 2026-04-24 20:37
VLAI
Summary
Apache Kafka exposes sensitive information in its DEBUG logs
Details

Information exposure vulnerability has been identified in Apache Kafka.

The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are:

  • AlterConfigsRequest

  • AlterUserScramCredentialsRequest

  • ExpireDelegationTokenRequest

  • IncrementalAlterConfigsRequest

  • RenewDelegationTokenRequest

  • SaslAuthenticateRequest

  • createDelegationTokenResponse

  • describeDelegationTokenResponse

  • SaslAuthenticateResponse

This issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. Apache advises Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.kafka:kafka-clients"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.11.0"
            },
            {
              "fixed": "3.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.kafka:kafka-clients"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33558"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-24T20:37:18Z",
    "nvd_published_at": "2026-04-20T14:16:19Z",
    "severity": "MODERATE"
  },
  "details": "Information exposure vulnerability has been identified in Apache Kafka.\n\nThe NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are:\n\n\n  *  AlterConfigsRequest\n\n  *  AlterUserScramCredentialsRequest\n\n  *  ExpireDelegationTokenRequest\n\n  *  IncrementalAlterConfigsRequest\n\n  *  RenewDelegationTokenRequest\n\n  *  SaslAuthenticateRequest\n\n  *  createDelegationTokenResponse\n\n  *  describeDelegationTokenResponse\n\n  *  SaslAuthenticateResponse\n\n\nThis issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. Apache advises Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.",
  "id": "GHSA-wf66-mphr-4c4r",
  "modified": "2026-04-24T20:37:18Z",
  "published": "2026-04-20T15:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33558"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/kafka"
    },
    {
      "type": "WEB",
      "url": "https://kafka.apache.org/cve-list"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/pz5g4ky3h0k91tfd14p0dzqjp80960kl"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/04/17/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Kafka exposes sensitive information in its DEBUG logs"
}

GHSA-WFFP-P4H8-F6WQ

Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48
VLAI
Details

IBM Spectrum Protect Plus File Systems Agent 10.1.6 and 10.1.7 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 198836.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20536"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-26T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Spectrum Protect Plus File Systems Agent 10.1.6 and 10.1.7 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 198836.",
  "id": "GHSA-wffp-p4h8-f6wq",
  "modified": "2022-05-24T17:48:53Z",
  "published": "2022-05-24T17:48:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20536"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/198836"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6445739"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WG4G-395P-MQV3

Vulnerability from github – Published: 2026-04-25 23:35 – Updated: 2026-05-13 13:34
VLAI
Summary
n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode
Details

Impact

When n8n-mcp runs in HTTP transport mode, authenticated MCP tools/call requests had their full arguments and JSON-RPC params written to server logs by the request dispatcher and several sibling code paths before any redaction. When a tool call carries credential material — most notably n8n_manage_credentials.data — the raw values can be persisted in logs.

In deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of:

  • bearer tokens and OAuth credentials sent through n8n_manage_credentials
  • per-tenant API keys and webhook auth headers embedded in tool arguments
  • arbitrary secret-bearing payloads passed to any MCP tool

The issue requires authentication (AUTH_TOKEN accepted by the server), so unauthenticated callers cannot trigger it; the runtime exposure is also reduced by an existing console-silencing layer in HTTP mode, but that layer is fragile and the values are still constructed and passed into the logger. The fix removes the leak at the source.

Impact category: CWE-532 (Insertion of Sensitive Information into Log File). CVSS 3.1 score: 4.3 Medium (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

Affected

Deployments running n8n-mcp v2.47.12 or earlier in HTTP transport mode (MCP_MODE=http). The stdio transport short-circuits the relevant log calls and is not affected in practice.

Patched

v2.47.13 and later.

  • npm: npx n8n-mcp@latest (or pin to >= 2.47.13)
  • Docker: docker pull ghcr.io/czlonkowski/n8n-mcp:latest

The patch routes tool-call arguments through a metadata-only summarizer (summarizeToolCallArgs) that records type, top-level key names, and approximate size — never values. The same pattern was adopted earlier for HTTP request bodies in GHSA-pfm2-2mhg-8wpx.

Workarounds

If developers cannot upgrade immediately:

  • Restrict access to the HTTP port (firewall, reverse proxy, or VPN) so only trusted clients can authenticate.
  • Restrict access to server logs (no shared SIEM ingestion, no support read-only access) until the upgrade lands.
  • Switch to stdio transport (MCP_MODE=stdio, the default for CLI invocation), which has no HTTP surface and short-circuits the affected log calls.

Credit

n8n-MCP thanks @Mirr2 (Organization / Jormungandr) for reporting this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "n8n-mcp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.47.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42282"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-25T23:35:28Z",
    "nvd_published_at": "2026-05-08T20:16:31Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWhen `n8n-mcp` runs in HTTP transport mode, authenticated MCP `tools/call` requests had their full arguments and JSON-RPC params written to server logs by the request dispatcher and several sibling code paths before any redaction. When a tool call carries credential material \u2014 most notably `n8n_manage_credentials.data` \u2014 the raw values can be persisted in logs.\n\nIn deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of:\n\n- bearer tokens and OAuth credentials sent through `n8n_manage_credentials`\n- per-tenant API keys and webhook auth headers embedded in tool arguments\n- arbitrary secret-bearing payloads passed to any MCP tool\n\nThe issue requires authentication (`AUTH_TOKEN` accepted by the server), so unauthenticated callers cannot trigger it; the runtime exposure is also reduced by an existing console-silencing layer in HTTP mode, but that layer is fragile and the values are still constructed and passed into the logger. The fix removes the leak at the source.\n\nImpact category: **CWE-532** (Insertion of Sensitive Information into Log File). CVSS 3.1 score: **4.3 Medium** (`AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N`).\n\n### Affected\n\nDeployments running n8n-mcp **v2.47.12 or earlier** in HTTP transport mode (`MCP_MODE=http`). The stdio transport short-circuits the relevant log calls and is not affected in practice.\n\n### Patched\n\n**v2.47.13** and later.\n\n- npm: `npx n8n-mcp@latest` (or pin to `\u003e= 2.47.13`)\n- Docker: `docker pull ghcr.io/czlonkowski/n8n-mcp:latest`\n\nThe patch routes tool-call arguments through a metadata-only summarizer (`summarizeToolCallArgs`) that records type, top-level key names, and approximate size \u2014 never values. The same pattern was adopted earlier for HTTP request bodies in GHSA-pfm2-2mhg-8wpx.\n\n### Workarounds\n\nIf developers cannot upgrade immediately:\n\n- Restrict access to the HTTP port (firewall, reverse proxy, or VPN) so only trusted clients can authenticate.\n- Restrict access to server logs (no shared SIEM ingestion, no support read-only access) until the upgrade lands.\n- Switch to stdio transport (`MCP_MODE=stdio`, the default for CLI invocation), which has no HTTP surface and short-circuits the affected log calls.\n\n### Credit\n\nn8n-MCP thanks [@Mirr2](https://github.com/Mirr2) (Organization / Jormungandr) for reporting this issue.",
  "id": "GHSA-wg4g-395p-mqv3",
  "modified": "2026-05-13T13:34:59Z",
  "published": "2026-04-25T23:35:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-wg4g-395p-mqv3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42282"
    },
    {
      "type": "WEB",
      "url": "https://github.com/czlonkowski/n8n-mcp/commit/59b665bda36797823df238aeaf20adb862c9f451"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/czlonkowski/n8n-mcp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.47.13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode"
}

GHSA-WG52-V6X4-GHP3

Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2024-04-04 01:40
VLAI
Details

OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13515"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-15T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive information.",
  "id": "GHSA-wg52-v6x4-ghp3",
  "modified": "2024-04-04T01:40:38Z",
  "published": "2022-05-24T16:53:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13515"
    },
    {
      "type": "WEB",
      "url": "https://www.us-cert.gov/ics/advisories/icsa-19-225-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WG5X-3G47-V38R

Vulnerability from github – Published: 2026-05-19 15:40 – Updated: 2026-06-09 13:12
VLAI
Summary
fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode
Details

When chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain the TLS private key, they could impersonate the chaincode server.

Recommendation

  • Update to the fixed version of the chaincode runtime.
  • Redact or remove existing logs that contain the TLS private key password.
  • Change the TLS private key password.

Mitigation

Impacted deployments can mitigate the vulnerability by restricting the logging level to WARNING or higher so that INFO level logs are not written.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.5.9"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.1"
            },
            {
              "fixed": "2.5.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45581"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T15:40:13Z",
    "nvd_published_at": "2026-06-08T17:16:44Z",
    "severity": "MODERATE"
  },
  "details": "When chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain the TLS private key, they could impersonate the chaincode server.\n\n### Recommendation\n\n- Update to the fixed version of the chaincode runtime.\n- Redact or remove existing logs that contain the TLS private key password.\n- Change the TLS private key password.\n\n### Mitigation\n\nImpacted deployments can mitigate the vulnerability by restricting the logging level to WARNING or higher so that INFO level logs are not written.",
  "id": "GHSA-wg5x-3g47-v38r",
  "modified": "2026-06-09T13:12:11Z",
  "published": "2026-05-19T15:40:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hyperledger/fabric-chaincode-java/security/advisories/GHSA-wg5x-3g47-v38r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45581"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hyperledger/fabric-chaincode-java"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode"
}

GHSA-WGPQ-P2HM-56V9

Vulnerability from github – Published: 2024-02-01 15:30 – Updated: 2024-05-23 13:55
VLAI
Summary
glance-store logs s3 access keys
Details

A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log level is enabled.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "glance-store"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-1141"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532",
      "CWE-779"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-05T22:32:25Z",
    "nvd_published_at": "2024-02-01T15:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log level is enabled.",
  "id": "GHSA-wgpq-p2hm-56v9",
  "modified": "2024-05-23T13:55:44Z",
  "published": "2024-02-01T15:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1141"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/glance_store/commit/d6e531af4821c8466b1e9404f12f89f6216417f2"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:2732"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1141"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258836"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openstack/glance_store"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "glance-store logs s3 access keys"
}

GHSA-WGR7-WRHM-VCMG

Vulnerability from github – Published: 2024-03-22 00:31 – Updated: 2025-03-27 21:31
VLAI
Details

An issue in iTop DualSafe Password Manager & Digital Vault before 1.4.24 allows a local attacker to obtain sensitive information via leaked credentials as plaintext in a log file that can be accessed by the local user without knowledge of the master secret.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-24272"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-21T22:15:10Z",
    "severity": "HIGH"
  },
  "details": "An issue in iTop DualSafe Password Manager \u0026 Digital Vault before 1.4.24 allows a local attacker to obtain sensitive information via leaked credentials as plaintext in a log file that can be accessed by the local user without knowledge of the master secret.",
  "id": "GHSA-wgr7-wrhm-vcmg",
  "modified": "2025-03-27T21:31:03Z",
  "published": "2024-03-22T00:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24272"
    },
    {
      "type": "WEB",
      "url": "https://research.hisolutions.com/2024/03/cve-2024-24272-dualsafe-password-manager-leaks-credentials"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WHP8-C256-P9F6

Vulnerability from github – Published: 2025-06-12 18:31 – Updated: 2025-06-12 18:31
VLAI
Details

Dell Smart Dock Firmware, versions prior to 01.00.08.01, contain an Insertion of Sensitive Information into Log File vulnerability. A user with local access could potentially exploit this vulnerability, leading to Information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36573"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-12T16:15:23Z",
    "severity": "HIGH"
  },
  "details": "Dell Smart Dock Firmware, versions prior to 01.00.08.01, contain an Insertion of Sensitive Information into Log File vulnerability. A user with local access could potentially exploit this vulnerability, leading to Information disclosure.",
  "id": "GHSA-whp8-c256-p9f6",
  "modified": "2025-06-12T18:31:48Z",
  "published": "2025-06-12T18:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36573"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000323183/dsa-2025-218"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WHPH-446H-6M9V

Vulnerability from github – Published: 2022-04-16 00:00 – Updated: 2023-08-03 19:30
VLAI
Summary
Azure SDK for .NET Information Disclosure Vulnerability.
Details

Azure SDK for .NET Information Disclosure Vulnerability via undisclosed methods relating to lack of sanitization of exception messages.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.Rest.ClientRuntime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-26907"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-07T21:30:44Z",
    "nvd_published_at": "2022-04-15T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Azure SDK for .NET Information Disclosure Vulnerability via undisclosed methods relating to lack of sanitization of exception messages.",
  "id": "GHSA-whph-446h-6m9v",
  "modified": "2023-08-03T19:30:54Z",
  "published": "2022-04-16T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26907"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Azure/azure-sdk-for-net/pull/28169"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Azure/azure-sdk-for-net/commit/e67f2a9fc5aa1060bd465d1458c347671268f6f5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Azure/azure-sdk-for-net"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Azure/azure-sdk-for-net/blob/a919c48ae294fed084a9679b6f53ac6af3fb4c3a/sdk/mgmtcommon/ClientRuntime/ClientRuntime/Microsoft.Rest.ClientRuntime.csproj#L11"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26907"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26907"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Azure SDK for .NET Information Disclosure Vulnerability."
}

GHSA-WHVH-7626-25QP

Vulnerability from github – Published: 2023-03-27 06:30 – Updated: 2023-03-27 06:30
VLAI
Details

Juiker app stores debug logs which contains sensitive information to mobile external storage. An unauthenticated physical attacker can access these files to acquire partial user information such as personal contacts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-39043"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-27T04:15:00Z",
    "severity": "LOW"
  },
  "details": "Juiker app stores debug logs which contains sensitive information to mobile external storage. An unauthenticated physical attacker can access these files to acquire partial user information such as personal contacts.",
  "id": "GHSA-whvh-7626-25qp",
  "modified": "2023-03-27T06:30:22Z",
  "published": "2023-03-27T06:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39043"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-6922-4a37a-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.