CWE-532
Insertion of Sensitive Information into Log File
The product writes sensitive information to a log file.
CVE-2025-48955 (GCVE-0-2025-48955)
Vulnerability from cvelistv5 – Published: 2025-06-02 11:11 – Updated: 2025-06-02 16:47
VLAI
Title
Para Server Logs Sensitive Information
Summary
Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes. Version 1.50.8 fixes the issue.
Severity
6.2 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Erudika/para/security/advisori… | x_refsource_CONFIRM |
| https://github.com/Erudika/para/commit/1e8a895585… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48955",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T16:46:31.470097Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T16:47:02.156Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "para",
"vendor": "Erudika",
"versions": [
{
"status": "affected",
"version": "\u003c 1.50.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes. Version 1.50.8 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T11:11:22.722Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Erudika/para/security/advisories/GHSA-v75g-77vf-6jjq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Erudika/para/security/advisories/GHSA-v75g-77vf-6jjq"
},
{
"name": "https://github.com/Erudika/para/commit/1e8a89558542854bb0683ab234c4429ad93b0835",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Erudika/para/commit/1e8a89558542854bb0683ab234c4429ad93b0835"
}
],
"source": {
"advisory": "GHSA-v75g-77vf-6jjq",
"discovery": "UNKNOWN"
},
"title": "Para Server Logs Sensitive Information"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48955",
"datePublished": "2025-06-02T11:11:22.722Z",
"dateReserved": "2025-05-28T18:49:07.585Z",
"dateUpdated": "2025-06-02T16:47:02.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49009 (GCVE-0-2025-49009)
Vulnerability from cvelistv5 – Published: 2025-06-05 16:40 – Updated: 2025-06-17 13:54
VLAI
Title
Para Inserts Sensitive Information into Log File for Facebook authentication
Summary
Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 in `FacebookAuthFilter.java` results in a full request URL being logged during a failed request to a Facebook user profile. The log includes the user's access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure. Version 1.50.8 fixes the issue.
Severity
6.2 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Erudika/para/security/advisori… | x_refsource_CONFIRM |
| https://github.com/Erudika/para/commit/46a908d887… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49009",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T13:54:10.822111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T13:54:23.657Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "para",
"vendor": "Erudika",
"versions": [
{
"status": "affected",
"version": "\u003c 1.50.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 in `FacebookAuthFilter.java` results in a full request URL being logged during a failed request to a Facebook user profile. The log includes the user\u0027s access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure. Version 1.50.8 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T16:40:27.978Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Erudika/para/security/advisories/GHSA-qx7g-fx8q-545g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Erudika/para/security/advisories/GHSA-qx7g-fx8q-545g"
},
{
"name": "https://github.com/Erudika/para/commit/46a908d887da02037384193f70a69345f04887cf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Erudika/para/commit/46a908d887da02037384193f70a69345f04887cf"
}
],
"source": {
"advisory": "GHSA-qx7g-fx8q-545g",
"discovery": "UNKNOWN"
},
"title": "Para Inserts Sensitive Information into Log File for Facebook authentication"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49009",
"datePublished": "2025-06-05T16:40:27.978Z",
"dateReserved": "2025-05-29T16:34:07.176Z",
"dateUpdated": "2025-06-17T13:54:23.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49846 (GCVE-0-2025-49846)
Vulnerability from cvelistv5 – Published: 2025-07-03 16:41 – Updated: 2025-07-03 19:23
VLAI
Title
wire-ios accidentally logs message contents
Summary
wire-ios is an iOS client for the Wire secure messaging application. From Wire iOS 3.111.1 to before 3.124.1, messages that were visible in the view port have been logged to the iOS system logs in clear text. Wire application logs created and managed by the application itself were not affected, especially not the logs users can export and send to Wire support. The iOS logs can only be accessed if someone had (physical) access to the underlying unlocked device. The issue manifested itself by calling canOpenUrl() and passing an invalid URL object. When iOS then performs the check and fails, it logs the contents to the system log. This is not documented behaviour. Wire released an emergency fix with version 3.124.1. As a workaround, users can reset their iOS device to remove the offending logs. Since Wire cannot access or modify iOS system logs, there's no other workaround other than a reset.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/wireapp/wire-ios/security/advi… | x_refsource_CONFIRM |
| https://github.com/wireapp/wire-ios/commit/0cff0e… | x_refsource_MISC |
| https://github.com/wireapp/wire-ios/releases/tag/… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49846",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-03T19:20:55.941143Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-03T19:23:39.700Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wire-ios",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.111.1, \u003c 3.124.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wire-ios is an iOS client for the Wire secure messaging application. From Wire iOS 3.111.1 to before 3.124.1, messages that were visible in the view port have been logged to the iOS system logs in clear text. Wire application logs created and managed by the application itself were not affected, especially not the logs users can export and send to Wire support. The iOS logs can only be accessed if someone had (physical) access to the underlying unlocked device. The issue manifested itself by calling canOpenUrl() and passing an invalid URL object. When iOS then performs the check and fails, it logs the contents to the system log. This is not documented behaviour. Wire released an emergency fix with version 3.124.1. As a workaround, users can reset their iOS device to remove the offending logs. Since Wire cannot access or modify iOS system logs, there\u0027s no other workaround other than a reset."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117: Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-03T16:41:34.228Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-pj5p-96xx-hc7m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-pj5p-96xx-hc7m"
},
{
"name": "https://github.com/wireapp/wire-ios/commit/0cff0e4298d87c2c56de07f3fb18d3e8e5a68fa3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios/commit/0cff0e4298d87c2c56de07f3fb18d3e8e5a68fa3"
},
{
"name": "https://github.com/wireapp/wire-ios/releases/tag/appstore%2F3.124.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios/releases/tag/appstore%2F3.124.1"
}
],
"source": {
"advisory": "GHSA-pj5p-96xx-hc7m",
"discovery": "UNKNOWN"
},
"title": "wire-ios accidentally logs message contents"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49846",
"datePublished": "2025-07-03T16:41:34.228Z",
"dateReserved": "2025-06-11T14:33:57.800Z",
"dateUpdated": "2025-07-03T19:23:39.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-50200 (GCVE-0-2025-50200)
Vulnerability from cvelistv5 – Published: 2025-06-19 16:14 – Updated: 2025-06-20 17:43
VLAI
Title
RabbitMQ Node can log Basic Auth header from an HTTP request
Summary
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been patched in version 4.0.8.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/rabbitmq/rabbitmq-server/secur… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| rabbitmq | rabbitmq-server |
Affected:
<= 3.13.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-50200",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-20T17:42:45.496505Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-20T17:43:55.579Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rabbitmq-server",
"vendor": "rabbitmq",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.13.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been patched in version 4.0.8."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-19T16:14:24.919Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-gh3x-4x42-fvq8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-gh3x-4x42-fvq8"
}
],
"source": {
"advisory": "GHSA-gh3x-4x42-fvq8",
"discovery": "UNKNOWN"
},
"title": "RabbitMQ Node can log Basic Auth header from an HTTP request"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-50200",
"datePublished": "2025-06-19T16:14:24.919Z",
"dateReserved": "2025-06-13T19:17:51.728Z",
"dateUpdated": "2025-06-20T17:43:55.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52580 (GCVE-0-2025-52580)
Vulnerability from cvelistv5 – Published: 2025-07-22 04:49 – Updated: 2025-07-22 15:36
VLAI
Summary
Insertion of sensitive information into log file issue exists in "region PAY" App for Android prior to 1.5.28. If exploited, sensitive user information may be exposed to an attacker who has access to the application logs.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of sensitive information into log file
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://jvn.jp/en/jp/JVN07825095/ |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Gift Pad Co.,Ltd. | "region PAY" App for Android |
Affected:
prior to 1.5.28
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52580",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-22T15:19:47.477187Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T15:36:00.332Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "\"region PAY\" App for Android",
"vendor": "Gift Pad Co.,Ltd.",
"versions": [
{
"status": "affected",
"version": "prior to 1.5.28"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insertion of sensitive information into log file issue exists in \"region PAY\" App for Android prior to 1.5.28. If exploited, sensitive user information may be exposed to an attacker who has access to the application logs."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "Insertion of sensitive information into log file",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T04:49:33.459Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/jp/JVN07825095/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-52580",
"datePublished": "2025-07-22T04:49:33.459Z",
"dateReserved": "2025-07-15T01:02:40.018Z",
"dateUpdated": "2025-07-22T15:36:00.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52893 (GCVE-0-2025-52893)
Vulnerability from cvelistv5 – Published: 2025-06-25 16:54 – Updated: 2025-06-25 20:39
VLAI
Title
OpenBao May Leak Sensitive Information in Logs When Processing Malformed Data
Summary
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. This issue has been fixed in OpenBao v2.3.0 and later. Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients.
Severity
4.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/openbao/openbao/security/advis… | x_refsource_CONFIRM |
| https://github.com/go-viper/mapstructure/pull/105 | x_refsource_MISC |
| https://github.com/go-viper/mapstructure/commit/e… | x_refsource_MISC |
| https://github.com/openbao/openbao/commit/cf5e920… | x_refsource_MISC |
| https://discuss.hashicorp.com/t/hcsec-2025-09-vau… | x_refsource_MISC |
| https://github.com/go-viper/mapstructure/releases… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52893",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-25T20:35:02.788748Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-25T20:39:04.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openbao",
"vendor": "openbao",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. This issue has been fixed in OpenBao v2.3.0 and later. Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-25T16:54:50.262Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openbao/openbao/security/advisories/GHSA-8f5r-8cmq-7fmq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openbao/openbao/security/advisories/GHSA-8f5r-8cmq-7fmq"
},
{
"name": "https://github.com/go-viper/mapstructure/pull/105",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-viper/mapstructure/pull/105"
},
{
"name": "https://github.com/go-viper/mapstructure/commit/ed3f92181528ff776a0324107b8b55026e93766a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-viper/mapstructure/commit/ed3f92181528ff776a0324107b8b55026e93766a"
},
{
"name": "https://github.com/openbao/openbao/commit/cf5e920badbf96b41253534a3fd5ff5063bf4b30",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openbao/openbao/commit/cf5e920badbf96b41253534a3fd5ff5063bf4b30"
},
{
"name": "https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717",
"tags": [
"x_refsource_MISC"
],
"url": "https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717"
},
{
"name": "https://github.com/go-viper/mapstructure/releases/tag/v2.3.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-viper/mapstructure/releases/tag/v2.3.0"
}
],
"source": {
"advisory": "GHSA-8f5r-8cmq-7fmq",
"discovery": "UNKNOWN"
},
"title": "OpenBao May Leak Sensitive Information in Logs When Processing Malformed Data"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-52893",
"datePublished": "2025-06-25T16:54:50.262Z",
"dateReserved": "2025-06-20T17:42:25.709Z",
"dateUpdated": "2025-06-25T20:39:04.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53649 (GCVE-0-2025-53649)
Vulnerability from cvelistv5 – Published: 2025-07-29 04:41 – Updated: 2025-07-29 13:58
VLAI
Summary
"SwitchBot" App for iOS/Android contains an insertion of sensitive information into log file vulnerability in versions V6.24 through V9.12. If this vulnerability is exploited, sensitive user information may be exposed to an attacker who has access to the application logs.
Severity
5.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of sensitive information into log file
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SwitchBot | SwitchBot App for iOS/Android |
Affected:
V6.24 through V9.12
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53649",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-29T13:58:04.561921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-29T13:58:10.661Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SwitchBot App for iOS/Android",
"vendor": "SwitchBot",
"versions": [
{
"status": "affected",
"version": "V6.24 through V9.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "\"SwitchBot\" App for iOS/Android contains an insertion of sensitive information into log file vulnerability in versions V6.24 through V9.12. If this vulnerability is exploited, sensitive user information may be exposed to an attacker who has access to the application logs."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "Insertion of sensitive information into log file",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-29T04:41:35.880Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.switchbot.jp/pages/switchbot-app-vulnerability-fix202507"
},
{
"url": "https://jvn.jp/en/jp/JVN59585716/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-53649",
"datePublished": "2025-07-29T04:41:35.880Z",
"dateReserved": "2025-07-08T06:34:47.546Z",
"dateUpdated": "2025-07-29T13:58:10.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53885 (GCVE-0-2025-53885)
Vulnerability from cvelistv5 – Published: 2025-07-14 23:18 – Updated: 2025-07-15 13:43
VLAI
Title
Directus doesn't redact sensitive user data when logging via event hooks
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template string. Malicious admins can log sensitive data from other users when they are created or updated. Version 11.9.0 contains a fix for the issue. As a workaround, avoid logging sensitive data to the console outside the context of development.
Severity
4.2 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/directus/directus/security/adv… | x_refsource_CONFIRM |
| https://github.com/directus/directus/pull/25355 | x_refsource_MISC |
| https://github.com/directus/directus/commit/859f6… | x_refsource_MISC |
| https://github.com/directus/directus/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53885",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-15T13:43:27.488182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T13:43:35.843Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 11.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the \"Log to Console\" operation and a template string. Malicious admins can log sensitive data from other users when they are created or updated. Version 11.9.0 contains a fix for the issue. As a workaround, avoid logging sensitive data to the console outside the context of development."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T23:18:57.503Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-x3vm-88hf-gpxp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-x3vm-88hf-gpxp"
},
{
"name": "https://github.com/directus/directus/pull/25355",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/pull/25355"
},
{
"name": "https://github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff580e5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff580e5"
},
{
"name": "https://github.com/directus/directus/releases/tag/v11.9.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/releases/tag/v11.9.0"
}
],
"source": {
"advisory": "GHSA-x3vm-88hf-gpxp",
"discovery": "UNKNOWN"
},
"title": "Directus doesn\u0027t redact sensitive user data when logging via event hooks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53885",
"datePublished": "2025-07-14T23:18:57.503Z",
"dateReserved": "2025-07-11T19:05:23.824Z",
"dateUpdated": "2025-07-15T13:43:35.843Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53886 (GCVE-0-2025-53886)
Vulnerability from cvelistv5 – Published: 2025-07-14 23:35 – Updated: 2025-07-15 13:41
VLAI
Title
Directus doesn't redact tokens in Flow logs
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow. Version 11.9.0 fixes the issue.
Severity
4.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/directus/directus/security/adv… | x_refsource_CONFIRM |
| https://github.com/directus/directus/pull/25354 | x_refsource_MISC |
| https://github.com/directus/directus/commit/22be4… | x_refsource_MISC |
| https://github.com/directus/directus/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53886",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-15T13:41:05.387368Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T13:41:18.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 11.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow. Version 11.9.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-212",
"description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T23:35:56.448Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-f24x-rm6g-3w5v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-f24x-rm6g-3w5v"
},
{
"name": "https://github.com/directus/directus/pull/25354",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/pull/25354"
},
{
"name": "https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb"
},
{
"name": "https://github.com/directus/directus/releases/tag/v11.9.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/releases/tag/v11.9.0"
}
],
"source": {
"advisory": "GHSA-f24x-rm6g-3w5v",
"discovery": "UNKNOWN"
},
"title": "Directus doesn\u0027t redact tokens in Flow logs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53886",
"datePublished": "2025-07-14T23:35:56.448Z",
"dateReserved": "2025-07-11T19:05:23.824Z",
"dateUpdated": "2025-07-15T13:41:18.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54064 (GCVE-0-2025-54064)
Vulnerability from cvelistv5 – Published: 2025-07-17 14:40 – Updated: 2025-07-17 20:01
VLAI
Title
rucio-server, rucio-ui, and rucio-webui vulnerable to insertion of X-Rucio-Auth-Token in apache access logfiles
Summary
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. The common Rucio helm-charts for the `rucio-server`, `rucio-ui`, and `rucio-webui` define the log format for the apache access log of these components. The `X-Rucio-Auth-Token`, which is part of each request header sent to Rucio, is part of this log format. Thus, each access log line potentially exposes the credentials (Internal Rucio token, or JWT in case of OIDC authentication) of the user. Due to the length of the token (Especially for a JWT) the tokens are often truncated, and thus not usable as credential; nevertheless, the (partial) credential should not be part of the logfile. The impact of this issue is amplified if the access logs are made available to a larger group of people than the instance administrators themselves. An updated release has been supplied for the `rucio-server`, `rucio-ui` and `rucio-webui` helm-chart. The change was also retrofitted for the currently supported Rucio LTS releases. The patched versions are rucio-server 37.0.2, 35.0.1, and 32.0.1; rucio-ui 37.0.4, 35.0.1, and 32.0.2; and rucio-webui 37.0.2, 35.1.1, and 32.0.1. As a workaround, one may update the `logFormat` variable and remove the `X-Rucio-Auth-Token`.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/rucio/helm-charts/security/adv… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| rucio | helm-charts |
Affected:
rucio-server < 32.0.1
Affected: rucio-server >= 33.0.0, < 35.0.1 Affected: rucio-server >= 36.0.0, < 37.0.2 Affected: rucio-ui < 32.0.2 Affected: rucio-ui >= 33.0.0, < 35.1.1 Affected: rucio-ui >= 36.0.0, < 37.0.4 Affected: rucio-webui < 32.0.1 Affected: rucio-webui >= 33.0.0, < 35.1.1 Affected: rucio-webui >= 36.0.0, < 37.0.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54064",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-17T20:01:37.791373Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T20:01:54.062Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "helm-charts",
"vendor": "rucio",
"versions": [
{
"status": "affected",
"version": "rucio-server \u003c 32.0.1"
},
{
"status": "affected",
"version": "rucio-server \u003e= 33.0.0, \u003c 35.0.1"
},
{
"status": "affected",
"version": "rucio-server \u003e= 36.0.0, \u003c 37.0.2"
},
{
"status": "affected",
"version": "rucio-ui \u003c 32.0.2"
},
{
"status": "affected",
"version": "rucio-ui \u003e= 33.0.0, \u003c 35.1.1"
},
{
"status": "affected",
"version": "rucio-ui \u003e= 36.0.0, \u003c 37.0.4"
},
{
"status": "affected",
"version": "rucio-webui \u003c 32.0.1"
},
{
"status": "affected",
"version": "rucio-webui \u003e= 33.0.0, \u003c 35.1.1"
},
{
"status": "affected",
"version": "rucio-webui \u003e= 36.0.0, \u003c 37.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. The common Rucio helm-charts for the `rucio-server`, `rucio-ui`, and `rucio-webui` define the log format for the apache access log of these components. The `X-Rucio-Auth-Token`, which is part of each request header sent to Rucio, is part of this log format. Thus, each access log line potentially exposes the credentials (Internal Rucio token, or JWT in case of OIDC authentication) of the user. Due to the length of the token (Especially for a JWT) the tokens are often truncated, and thus not usable as credential; nevertheless, the (partial) credential should not be part of the logfile. The impact of this issue is amplified if the access logs are made available to a larger group of people than the instance administrators themselves. An updated release has been supplied for the `rucio-server`, `rucio-ui` and `rucio-webui` helm-chart. The change was also retrofitted for the currently supported Rucio LTS releases. The patched versions are rucio-server 37.0.2, 35.0.1, and 32.0.1; rucio-ui 37.0.4, 35.0.1, and 32.0.2; and rucio-webui 37.0.2, 35.1.1, and 32.0.1. As a workaround, one may update the `logFormat` variable and remove the `X-Rucio-Auth-Token`."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T14:40:59.619Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rucio/helm-charts/security/advisories/GHSA-cmfq-f2v2-vj33",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rucio/helm-charts/security/advisories/GHSA-cmfq-f2v2-vj33"
}
],
"source": {
"advisory": "GHSA-cmfq-f2v2-vj33",
"discovery": "UNKNOWN"
},
"title": "rucio-server, rucio-ui, and rucio-webui vulnerable to insertion of X-Rucio-Auth-Token in apache access logfiles"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54064",
"datePublished": "2025-07-17T14:40:59.619Z",
"dateReserved": "2025-07-16T13:22:18.204Z",
"dateUpdated": "2025-07-17T20:01:54.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phases: Architecture and Design, Implementation
Description:
- Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Phase: Distribution
Description:
- Remove debug log files before deploying the application into production.
Mitigation
Phase: Operation
Description:
- Protect log files against unauthorized read/write.
Mitigation
Phase: Implementation
Description:
- Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.