CWE-532
Insertion of Sensitive Information into Log File
The product writes sensitive information to a log file.
CVE-2025-43888 (GCVE-0-2025-43888)
Vulnerability from cvelistv5 – Published: 2025-09-10 15:42 – Updated: 2026-02-26 17:48
VLAI
Summary
Dell PowerProtect Data Manager, Hyper-V, version(s) 19.19 and 19.20, contain(s) an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-us/00036745… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | PowerProtect Data Manager |
Affected:
N/A , < 19.21 build 11
(semver)
|
Date Public
2025-09-09 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-43888",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T03:56:26.040843Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:48:44.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerProtect Data Manager",
"vendor": "Dell",
"versions": [
{
"lessThan": "19.21 build 11",
"status": "affected",
"version": "N/A",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-09-09T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dell PowerProtect Data Manager, Hyper-V, version(s) 19.19 and 19.20, contain(s) an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access."
}
],
"value": "Dell PowerProtect Data Manager, Hyper-V, version(s) 19.19 and 19.20, contain(s) an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T15:43:08.746Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000367456/dsa-2025-326-security-update-for-dell-powerprotect-data-manager-multiple-security-vulnerabilities"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2025-43888",
"datePublished": "2025-09-10T15:42:34.448Z",
"dateReserved": "2025-04-18T05:05:05.741Z",
"dateUpdated": "2026-02-26T17:48:44.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-43937 (GCVE-0-2025-43937)
Vulnerability from cvelistv5 – Published: 2026-04-16 18:03 – Updated: 2026-04-16 18:51
VLAI
Summary
Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an insertion of sensitive information into log file vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.
Severity
6.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-us/00037621… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | PowerScale OneFS |
Affected:
9.5.0.0 , < 9.10.1.3
(semver)
Affected: 0 , < 9.12.0.0 (semver) Affected: 9.7.0.0 , < 9.7.1.9 (semver) Affected: 9.5.0.0 , < 9.5.1.5 (semver) |
Date Public
2025-10-01 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-43937",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T18:51:17.818973Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T18:51:41.562Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerScale OneFS",
"vendor": "Dell",
"versions": [
{
"lessThan": "9.10.1.3",
"status": "affected",
"version": "9.5.0.0",
"versionType": "semver"
},
{
"lessThan": "9.12.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "9.7.1.9",
"status": "affected",
"version": "9.7.0.0",
"versionType": "semver"
},
{
"lessThan": "9.5.1.5",
"status": "affected",
"version": "9.5.0.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-10-01T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an insertion of sensitive information into log file vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account."
}
],
"value": "Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an insertion of sensitive information into log file vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T18:03:08.750Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000376214/dsa-2025-347-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2025-43937",
"datePublished": "2026-04-16T18:03:08.750Z",
"dateReserved": "2025-04-20T05:04:01.415Z",
"dateUpdated": "2026-04-16T18:51:41.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-46329 (GCVE-0-2025-46329)
Vulnerability from cvelistv5 – Published: 2025-04-29 04:35 – Updated: 2025-04-29 13:34
VLAI
Title
Snowflake Connector for C/C++ inserts client-side encryption key in DEBUG logs
Summary
libsnowflakeclient is the Snowflake Connector for C/C++. Versions starting from 0.5.0 to before 2.2.0, are vulnerable to local logging of sensitive information. When the logging level was set to DEBUG, the Connector would log locally the client-side encryption master key of the target stage during the execution of GET/PUT commands. This key by itself does not grant access to any sensitive data without additional access authorizations, and is not logged server-side by Snowflake. This issue has been patched in version 2.2.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/snowflakedb/libsnowflakeclient… | x_refsource_CONFIRM |
| https://github.com/snowflakedb/libsnowflakeclient… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| snowflakedb | libsnowflakeclient |
Affected:
>= 0.5.0, < 2.2.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46329",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T13:33:53.462290Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T13:34:10.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "libsnowflakeclient",
"vendor": "snowflakedb",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.5.0, \u003c 2.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libsnowflakeclient is the Snowflake Connector for C/C++. Versions starting from 0.5.0 to before 2.2.0, are vulnerable to local logging of sensitive information. When the logging level was set to DEBUG, the Connector would log locally the client-side encryption master key of the target stage during the execution of GET/PUT commands. This key by itself does not grant access to any sensitive data without additional access authorizations, and is not logged server-side by Snowflake. This issue has been patched in version 2.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T04:35:49.431Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/snowflakedb/libsnowflakeclient/security/advisories/GHSA-jx4f-645p-wjpx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/snowflakedb/libsnowflakeclient/security/advisories/GHSA-jx4f-645p-wjpx"
},
{
"name": "https://github.com/snowflakedb/libsnowflakeclient/commit/3caa8a6a3ee95e0a66ead03b4bf6a2d1ca42ebfe",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/snowflakedb/libsnowflakeclient/commit/3caa8a6a3ee95e0a66ead03b4bf6a2d1ca42ebfe"
}
],
"source": {
"advisory": "GHSA-jx4f-645p-wjpx",
"discovery": "UNKNOWN"
},
"title": "Snowflake Connector for C/C++ inserts client-side encryption key in DEBUG logs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46329",
"datePublished": "2025-04-29T04:35:49.431Z",
"dateReserved": "2025-04-22T22:41:54.911Z",
"dateUpdated": "2025-04-29T13:34:10.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46614 (GCVE-0-2025-46614)
Vulnerability from cvelistv5 – Published: 2025-04-28 00:00 – Updated: 2025-04-28 15:56
VLAI
Summary
In Snowflake ODBC Driver before 3.7.0, in certain code paths, the Driver logged the whole SQL query at the INFO level, aka Insertion of Sensitive Information into a Log File.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Snowflake | Snowflake ODBC |
Affected:
0 , < 3.7.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46614",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-28T15:56:17.817505Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-28T15:56:23.048Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Snowflake ODBC",
"vendor": "Snowflake",
"versions": [
{
"lessThan": "3.7.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Snowflake ODBC Driver before 3.7.0, in certain code paths, the Driver logged the whole SQL query at the INFO level, aka Insertion of Sensitive Information into a Log File."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-28T15:25:58.983Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://community.snowflake.com/s/article/Snowflake-Connector-for-ODBC-Security-Advisory-CVE-2025-46614"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-46614",
"datePublished": "2025-04-28T00:00:00.000Z",
"dateReserved": "2025-04-25T00:00:00.000Z",
"dateUpdated": "2025-04-28T15:56:23.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46752 (GCVE-0-2025-46752)
Vulnerability from cvelistv5 – Published: 2025-10-16 14:00 – Updated: 2026-01-14 09:17
VLAI
Summary
A insertion of sensitive information into log file in Fortinet FortiDLP 12.0.0 through 12.0.5, 11.5.1, 11.4.6, 11.4.5 allows attacker to information disclosure via re-using the enrollment code.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Information disclosure
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Fortinet | FortiDLP |
Affected:
12.0.4 , ≤ 12.0.5
(semver)
Affected: 12.0.2 Affected: 12.0.0 Affected: 11.5.1 Affected: 11.4.5 , ≤ 11.4.6 (semver) cpe:2.3:a:fortinet:fortidlp:12.0.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortidlp:12.0.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortidlp:12.0.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortidlp:12.0.0:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortidlp:11.5.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortidlp:11.4.6:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortidlp:11.4.5:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46752",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T14:20:20.963552Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T14:20:31.156Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:fortinet:fortidlp:12.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortidlp:12.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortidlp:12.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortidlp:12.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortidlp:11.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortidlp:11.4.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortidlp:11.4.5:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "FortiDLP",
"vendor": "Fortinet",
"versions": [
{
"lessThanOrEqual": "12.0.5",
"status": "affected",
"version": "12.0.4",
"versionType": "semver"
},
{
"status": "affected",
"version": "12.0.2"
},
{
"status": "affected",
"version": "12.0.0"
},
{
"status": "affected",
"version": "11.5.1"
},
{
"lessThanOrEqual": "11.4.6",
"status": "affected",
"version": "11.4.5",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A insertion of sensitive information into log file in Fortinet FortiDLP 12.0.0 through 12.0.5, 11.5.1, 11.4.6, 11.4.5 allows attacker to information disclosure via re-using the enrollment code."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:P/RL:U/RC:C",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "Information disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T09:17:01.488Z",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"name": "https://fortiguard.fortinet.com/psirt/FG-IR-25-160",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-160"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to FortiDLP version 12.1.0 or above"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2025-46752",
"datePublished": "2025-10-16T14:00:30.930Z",
"dateReserved": "2025-04-29T00:20:46.508Z",
"dateUpdated": "2026-01-14T09:17:01.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-46777 (GCVE-0-2025-46777)
Vulnerability from cvelistv5 – Published: 2025-05-28 07:56 – Updated: 2025-05-28 13:30
VLAI
Summary
A insertion of sensitive information into log file in Fortinet FortiPortal versions 7.4.0, versions 7.2.0 through 7.2.5, and versions 7.0.0 through 7.0.9 may allow an authenticated attacker with at least read-only admin permissions to view encrypted secrets via the FortiPortal System Log.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Information disclosure
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Fortinet | FortiPortal |
Affected:
7.4.0
Affected: 7.2.0 , ≤ 7.2.5 (semver) Affected: 7.0.0 , ≤ 7.0.9 (semver) cpe:2.3:a:fortinet:fortiportal:7.4.0:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortiportal:7.2.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortiportal:7.2.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortiportal:7.2.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortiportal:7.2.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortiportal:7.2.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortiportal:7.2.0:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortiportal:7.0.9:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortiportal:7.0.8:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortiportal:7.0.7:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortiportal:7.0.6:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortiportal:7.0.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortiportal:7.0.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortiportal:7.0.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortiportal:7.0.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortiportal:7.0.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortiportal:7.0.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46777",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-28T13:30:18.489150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T13:30:23.832Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:fortinet:fortiportal:7.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiportal:7.2.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiportal:7.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiportal:7.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiportal:7.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiportal:7.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiportal:7.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiportal:7.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiportal:7.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiportal:7.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiportal:7.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiportal:7.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiportal:7.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiportal:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiportal:7.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiportal:7.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiportal:7.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "FortiPortal",
"vendor": "Fortinet",
"versions": [
{
"status": "affected",
"version": "7.4.0"
},
{
"lessThanOrEqual": "7.2.5",
"status": "affected",
"version": "7.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.9",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A insertion of sensitive information into log file in Fortinet FortiPortal versions 7.4.0, versions 7.2.0 through 7.2.5, and versions 7.0.0 through 7.0.9 may allow an authenticated attacker with at least read-only admin permissions to view encrypted secrets via the FortiPortal System Log."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:C",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "Information disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T07:56:03.616Z",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"name": "https://fortiguard.fortinet.com/psirt/FG-IR-24-380",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-380"
}
],
"solutions": [
{
"lang": "en",
"value": "Please upgrade to FortiPortal version 7.4.2 or above \nPlease upgrade to FortiPortal version 7.4.1 or above \nPlease upgrade to FortiPortal version 7.2.6 or above \nPlease upgrade to FortiPortal version 7.0.10 or above"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2025-46777",
"datePublished": "2025-05-28T07:56:03.616Z",
"dateReserved": "2025-04-29T08:42:13.449Z",
"dateUpdated": "2025-05-28T13:30:23.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47979 (GCVE-0-2025-47979)
Vulnerability from cvelistv5 – Published: 2025-10-14 17:00 – Updated: 2026-02-22 17:24
VLAI
Title
Microsoft Failover Cluster Information Disclosure Vulnerability
Summary
Insertion of sensitive information into log file in Windows Failover Cluster allows an authorized attacker to disclose information locally.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisorypatch |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Windows Server 2022, 23H2 Edition (Server Core installation) |
Affected:
10.0.25398.0 , < 10.0.25398.1913
(custom)
|
|
| Microsoft | Windows Server 2025 |
Affected:
10.0.26100.0 , < 10.0.26100.6899
(custom)
|
|
| Microsoft | Windows Server 2025 (Server Core installation) |
Affected:
10.0.26100.0 , < 10.0.26100.6899
(custom)
|
Date Public
2025-10-14 14:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47979",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T20:01:17.398528Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T20:03:03.842Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"x64-based Systems"
],
"product": "Windows Server 2022, 23H2 Edition (Server Core installation)",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.25398.1913",
"status": "affected",
"version": "10.0.25398.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64-based Systems"
],
"product": "Windows Server 2025",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.26100.6899",
"status": "affected",
"version": "10.0.26100.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64-based Systems"
],
"product": "Windows Server 2025 (Server Core installation)",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.26100.6899",
"status": "affected",
"version": "10.0.26100.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.26100.6899",
"versionStartIncluding": "10.0.26100.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.25398.1913",
"versionStartIncluding": "10.0.25398.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.26100.6899",
"versionStartIncluding": "10.0.26100.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2025-10-14T14:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Insertion of sensitive information into log file in Windows Failover Cluster allows an authorized attacker to disclose information locally."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-22T17:24:55.793Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Microsoft Failover Cluster Information Disclosure Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47979"
}
],
"title": "Microsoft Failover Cluster Information Disclosure Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2025-47979",
"datePublished": "2025-10-14T17:00:46.877Z",
"dateReserved": "2025-05-14T14:44:20.083Z",
"dateUpdated": "2026-02-22T17:24:55.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48374 (GCVE-0-2025-48374)
Vulnerability from cvelistv5 – Published: 2025-05-22 20:43 – Updated: 2025-05-23 14:33
VLAI
Title
zot logs secrets
Summary
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. Prior to version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f), when using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout logs for an example at container startup. Version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f) fixes the issue.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/project-zot/zot/security/advis… | x_refsource_CONFIRM |
| https://github.com/project-zot/zot/commit/8a99a3e… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| project-zot | zot |
Affected:
< 1.4.4-0.20250522160828-8a99a3ed231f
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48374",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-23T14:29:24.291687Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-23T14:33:24.239Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zot",
"vendor": "project-zot",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.4-0.20250522160828-8a99a3ed231f"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. Prior to version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f), when using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout logs for an example at container startup. Version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f) fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T20:43:13.708Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/project-zot/zot/security/advisories/GHSA-c37v-3c8w-crq8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/project-zot/zot/security/advisories/GHSA-c37v-3c8w-crq8"
},
{
"name": "https://github.com/project-zot/zot/commit/8a99a3ed231fdcd8467e986182b4705342b6a15e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/project-zot/zot/commit/8a99a3ed231fdcd8467e986182b4705342b6a15e"
}
],
"source": {
"advisory": "GHSA-c37v-3c8w-crq8",
"discovery": "UNKNOWN"
},
"title": "zot logs secrets"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48374",
"datePublished": "2025-05-22T20:43:13.708Z",
"dateReserved": "2025-05-19T15:46:00.395Z",
"dateUpdated": "2025-05-23T14:33:24.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48493 (GCVE-0-2025-48493)
Vulnerability from cvelistv5 – Published: 2025-06-05 16:33 – Updated: 2025-06-09 20:52
VLAI
Title
Yii 2 Redis may expose AUTH paramters in logs in case of connection failure
Summary
The Yii 2 Redis extension provides the redis key-value store support for the Yii framework 2.0. On failing connection, the extension writes commands sequence to logs. Prior to version 2.0.20, AUTH parameters are written in plain text exposing username and password. That might be an issue if attacker has access to logs. Version 2.0.20 fixes the issue.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/yiisoft/yii2-redis/security/ad… | x_refsource_CONFIRM |
| https://github.com/yiisoft/yii2-redis/commit/9622… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| yiisoft | yii2-redis |
Affected:
< 2.0.20
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48493",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-09T20:52:32.159781Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T20:52:45.538Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "yii2-redis",
"vendor": "yiisoft",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Yii 2 Redis extension provides the redis key-value store support for the Yii framework 2.0. On failing connection, the extension writes commands sequence to logs. Prior to version 2.0.20, AUTH parameters are written in plain text exposing username and password. That might be an issue if attacker has access to logs. Version 2.0.20 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T16:33:20.330Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/yiisoft/yii2-redis/security/advisories/GHSA-g3p6-82vc-43jh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/yiisoft/yii2-redis/security/advisories/GHSA-g3p6-82vc-43jh"
},
{
"name": "https://github.com/yiisoft/yii2-redis/commit/962252d2c57c187181e67bb66da3f27b4698358d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yiisoft/yii2-redis/commit/962252d2c57c187181e67bb66da3f27b4698358d"
}
],
"source": {
"advisory": "GHSA-g3p6-82vc-43jh",
"discovery": "UNKNOWN"
},
"title": "Yii 2 Redis may expose AUTH paramters in logs in case of connection failure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48493",
"datePublished": "2025-06-05T16:33:20.330Z",
"dateReserved": "2025-05-22T12:11:39.121Z",
"dateUpdated": "2025-06-09T20:52:45.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48709 (GCVE-0-2025-48709)
Vulnerability from cvelistv5 – Published: 2025-08-07 00:00 – Updated: 2025-12-01 21:57
VLAI
Title
BMC Control-M/Server cleartext database credentials in process lists and logs
Summary
BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs 'DBUStatus.exe' frequently, which then calls 'dbu_connection_details.vbs' with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| BMC | Control-M/Server |
Affected:
9.0.21.300 , < PACTV.9.0.21.307
(custom)
Unaffected: PACTV.9.0.21.307 |
|
| bmc | control-m |
Affected:
9.0.21.300 , < 9.0.21.300 PACTV.9.0.21.307
(custom)
Unaffected: PACTV.9.0.21.307 cpe:2.3:a:bmc:control-m:*:*:*:*:*:*:*:* |
Date Public
2025-08-06 00:00
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:bmc:control-m:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "control-m",
"vendor": "bmc",
"versions": [
{
"lessThan": "9.0.21.300 PACTV.9.0.21.307",
"status": "affected",
"version": "9.0.21.300",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "PACTV.9.0.21.307"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48709",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-27T15:23:04.978628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T21:57:06.906Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Control-M/Server",
"vendor": "BMC",
"versions": [
{
"lessThan": "PACTV.9.0.21.307",
"status": "affected",
"version": "9.0.21.300",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "PACTV.9.0.21.307"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Derrick Polakoff"
}
],
"datePublic": "2025-08-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs \u0027DBUStatus.exe\u0027 frequently, which then calls \u0027dbu_connection_details.vbs\u0027 with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-48709",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T16:23:53.246063Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-214",
"description": "CWE-214 Invocation of Process Using Visible Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T21:20:49.549Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"name": "url",
"url": "https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9021/Patches/Control-M-Server-PACTV-9-0-21-307/"
}
],
"title": "BMC Control-M/Server cleartext database credentials in process lists and logs"
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-48709",
"datePublished": "2025-08-07T00:00:00.000Z",
"dateReserved": "2025-05-23T00:00:00.000Z",
"dateUpdated": "2025-12-01T21:57:06.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phases: Architecture and Design, Implementation
Description:
- Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Phase: Distribution
Description:
- Remove debug log files before deploying the application into production.
Mitigation
Phase: Operation
Description:
- Protect log files against unauthorized read/write.
Mitigation
Phase: Implementation
Description:
- Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.