Search
Total
255 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-50253 | 1 Laf | 1 Laf | 2024-01-11 | N/A | 6.5 MEDIUM |
| Laf is a cloud development platform. In the Laf version design, the log uses communication with k8s to quickly retrieve logs from the container without the need for additional storage. However, in version 1.0.0-beta.13 and prior, this interface does not verify the permissions of the pod, which allows authenticated users to obtain any pod logs under the same namespace through this method, thereby obtaining sensitive information printed in the logs. As of time of publication, no known patched versions exist. | |||||
| CVE-2023-52146 | 1 Ajexperience | 1 404 Solution | 2024-01-11 | N/A | 5.3 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Aaron J 404 Solution.This issue affects 404 Solution: from n/a through 2.33.0. | |||||
| CVE-2023-46742 | 1 Linuxfoundation | 1 Cubefs | 2024-01-10 | N/A | 6.5 MEDIUM |
| CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves. The issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS. | |||||
| CVE-2023-6746 | 1 Github | 1 Enterprise Server | 2024-01-10 | N/A | 5.7 MEDIUM |
| An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server back-end service that could permit an `adversary in the middle attack` when combined with other phishing techniques. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server appliance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. | |||||
| CVE-2023-31417 | 1 Elastic | 1 Elasticsearch | 2024-01-03 | N/A | 4.4 MEDIUM |
| Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. It was found that this filtering was not applied when requests to Elasticsearch use certain deprecated URIs for APIs. The impact of this flaw is that sensitive information such as passwords and tokens might be printed in cleartext in Elasticsearch audit logs. Note that audit logging is disabled by default and needs to be explicitly enabled and even when audit logging is enabled, request bodies that could contain sensitive information are not printed to the audit log unless explicitly configured. | |||||
| CVE-2023-40338 | 1 Jenkins | 1 Folders | 2024-01-02 | N/A | 4.3 MEDIUM |
| Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier displays an error message that includes an absolute path of a log file when attempting to access the Scan Organization Folder Log if no logs are available, exposing information about the Jenkins controller file system. | |||||
| CVE-2023-4380 | 1 Redhat | 4 Ansible Automation Platform, Ansible Developer, Ansible Inside and 1 more | 2024-01-01 | N/A | 6.3 MEDIUM |
| A logic flaw exists in Ansible Automation platform. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability. | |||||
| CVE-2023-6802 | 1 Github | 1 Enterprise Server | 2023-12-29 | N/A | 6.5 MEDIUM |
| An insertion of sensitive information into the log file in the audit log in GitHub Enterprise Server was identified that could allow an attacker to gain access to the management console. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server appliance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. | |||||
| CVE-2021-3447 | 2 Fedoraproject, Redhat | 3 Fedora, Ansible, Ansible Tower | 2023-12-28 | 2.1 LOW | 5.5 MEDIUM |
| A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2. | |||||
| CVE-2021-20178 | 2 Fedoraproject, Redhat | 3 Fedora, Ansible, Ansible Tower | 2023-12-28 | 2.1 LOW | 5.5 MEDIUM |
| A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality. | |||||
| CVE-2021-20191 | 2 Oracle, Redhat | 8 Virtualization, Ansible, Ansible Tower and 5 more | 2023-12-28 | 2.1 LOW | 5.5 MEDIUM |
| A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected. | |||||
| CVE-2021-25284 | 3 Debian, Fedoraproject, Saltstack | 3 Debian Linux, Fedora, Salt | 2023-12-21 | 1.9 LOW | 4.4 MEDIUM |
| An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level. | |||||
| CVE-2018-2372 | 1 Sap | 1 Hana Extended Application Services | 2023-12-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A plain keystore password is written to a system log file in SAP HANA Extended Application Services, 1.0, which could endanger confidentiality of SSL communication. | |||||
| CVE-2022-30148 | 1 Microsoft | 5 Windows 10, Windows 11, Windows Server 2016 and 2 more | 2023-12-20 | 2.1 LOW | 5.5 MEDIUM |
| Windows Desired State Configuration (DSC) Information Disclosure Vulnerability | |||||
| CVE-2023-6687 | 1 Elastic | 1 Elastic Agent | 2023-12-19 | N/A | 6.5 MEDIUM |
| An issue was discovered by Elastic whereby Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code except 409 or 429. Depending on the nature of the event that Elastic Agent attempted to ingest, this could lead to the insertion of sensitive or private information in the Elastic Agent logs. Elastic has released 8.11.3 and 7.17.16 that prevents this issue by limiting these types of logs to DEBUG level logging, which is disabled by default. | |||||
| CVE-2023-49922 | 1 Elastic | 1 Elastic Beats | 2023-12-19 | N/A | 6.5 MEDIUM |
| An issue was discovered by Elastic whereby Beats and Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code except 409 or 429. Depending on the nature of the event that Beats or Elastic Agent attempted to ingest, this could lead to the insertion of sensitive or private information in the Beats or Elastic Agent logs. Elastic has released 8.11.3 and 7.17.16 that prevents this issue by limiting these types of logs to DEBUG level logging, which is disabled by default. | |||||
| CVE-2023-49923 | 1 Elastic | 1 Enterprise Search | 2023-12-19 | N/A | 6.5 MEDIUM |
| An issue was discovered by Elastic whereby the Documents API of App Search logged the raw contents of indexed documents at INFO log level. Depending on the contents of such documents, this could lead to the insertion of sensitive or private information in the App Search logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by changing the log level at which these are logged to DEBUG, which is disabled by default. | |||||
| CVE-2023-46671 | 1 Elastic | 1 Kibana | 2023-12-18 | N/A | 6.5 MEDIUM |
| An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Elastic has released Kibana 8.11.1 which resolves this issue. The error message recorded in the log may contain account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users. The issue occurs infrequently, only if an error is returned from an Elasticsearch cluster, in cases where there is user interaction and an unhealthy cluster (for example, when returning circuit breaker or no shard exceptions). | |||||
| CVE-2023-46675 | 1 Elastic | 1 Kibana | 2023-12-18 | N/A | 6.5 MEDIUM |
| An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error or in the event where debug level logging is enabled in Kibana. Elastic has released Kibana 8.11.2 which resolves this issue. The messages recorded in the log may contain Account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users, Elastic Security package policy objects which can contain private keys, bearer token, and sessions of 3rd-party integrations and finally Authorization headers, client secrets, local file paths, and stack traces. The issue may occur in any Kibana instance running an affected version that could potentially receive an unexpected error when communicating to Elasticsearch causing it to include sensitive data into Kibana error logs. It could also occur under specific circumstances when debug level logging is enabled in Kibana. Note: It was found that the fix for ESA-2023-25 in Kibana 8.11.1 for a similar issue was incomplete. | |||||
| CVE-2023-6460 | 1 Google | 1 Cloud Firestore | 2023-12-08 | N/A | 5.5 MEDIUM |
| A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this issue | |||||
| CVE-2023-6287 | 1 Tribe29 | 1 Checkmk Appliance Firmware | 2023-12-01 | N/A | 5.5 MEDIUM |
| Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.8 allows local attacker to retrieve passwords via reading log files. | |||||
| CVE-2023-48708 | 1 Codeigniter | 1 Shield | 2023-11-30 | N/A | 6.5 MEDIUM |
| CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. In affected versions successful login attempts are recorded with the raw tokens stored in the log table. If a malicious person somehow views the data in the log table they can obtain a raw token which can then be used to send a request with that user's authority. This issue has been addressed in version 1.0.0-beta.8. Users are advised to upgrade. Users unable to upgrade should disable logging for successful login attempts by the configuration files. | |||||
| CVE-2021-22143 | 1 Elastic | 1 Apm .net Agent | 2023-11-30 | N/A | 4.3 MEDIUM |
| The Elastic APM .NET Agent can leak sensitive HTTP header information when logging the details during an application error. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application error it is possible the headers will not be sanitized before being sent. | |||||
| CVE-2023-25682 | 1 Ibm | 1 Sterling B2b Integrator | 2023-11-30 | N/A | 5.5 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.8 and 6.1.0.0 through 6.1.2.1 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 247034. | |||||
| CVE-2022-29869 | 3 Debian, Fedoraproject, Samba | 3 Debian Linux, Fedora, Cifs-utils | 2023-11-24 | 4.3 MEDIUM | 5.3 MEDIUM |
| cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file. | |||||
| CVE-2023-46672 | 1 Elastic | 1 Logstash | 2023-11-22 | N/A | 5.5 MEDIUM |
| An issue was identified by Elastic whereby sensitive information is recorded in Logstash logs under specific circumstances. The prerequisites for the manifestation of this issue are: * Logstash is configured to log in JSON format https://www.elastic.co/guide/en/logstash/current/running-logstash-command-line.html , which is not the default logging format. * Sensitive data is stored in the Logstash keystore and referenced as a variable in Logstash configuration. | |||||
| CVE-2023-32283 | 1 Intel | 1 On Demand | 2023-11-21 | N/A | 5.5 MEDIUM |
| Insertion of sensitive information into log file in some Intel(R) On Demand software before versions 1.16.2, 2.1.1, 3.1.0 may allow an authenticated user to potentially enable information disclosure via local access. | |||||
| CVE-2022-46647 | 4 Apple, Google, Intel and 1 more | 4 Iphone Os, Android, Unison Software and 1 more | 2023-11-17 | N/A | 5.5 MEDIUM |
| Insertion of sensitive information into log file for some Intel Unison software may allow an authenticated user to potentially enable information disclosure via local access. | |||||
| CVE-2023-38732 | 3 Ibm, Microsoft, Redhat | 4 Robotic Process Automation, Robotic Process Automation For Cloud Pak, Windows and 1 more | 2023-08-26 | N/A | 4.3 MEDIUM |
| IBM Robotic Process Automation 21.0.0 through 21.0.7 server could allow an authenticated user to view sensitive information from application logs. IBM X-Force ID: 262289. | |||||
| CVE-2023-38733 | 3 Ibm, Microsoft, Redhat | 3 Robotic Process Automation, Windows, Openshift | 2023-08-26 | N/A | 4.3 MEDIUM |
| IBM Robotic Process Automation 21.0.0 through 21.0.7.1 and 23.0.0 through 23.0.1 server could allow an authenticated user to view sensitive information from installation logs. IBM X-Force Id: 262293. | |||||
| CVE-2023-32491 | 1 Dell | 1 Powerscale Onefs | 2023-08-22 | N/A | 6.5 MEDIUM |
| Dell PowerScale OneFS 9.5.0.x, contains an insertion of sensitive information into log file vulnerability in SNMPv3. A low privileges user could potentially exploit this vulnerability, leading to information disclosure. | |||||
| CVE-2020-24804 | 1 Cms-dev | 1 Cms | 2023-08-17 | N/A | 6.5 MEDIUM |
| Plaintext Password vulnerability in AddAdmin.py in cms-dev/cms v1.4.rc1, allows attackers to gain sensitive information via audit logs. | |||||
| CVE-2023-2878 | 1 Kunernetes | 1 Secrets-store-csi-driver | 2023-08-14 | N/A | 5.5 MEDIUM |
| Kubernetes secrets-store-csi-driver in versions before 1.3.3 discloses service account tokens in logs. | |||||
| CVE-2022-3018 | 1 Gitlab | 1 Gitlab | 2023-08-08 | N/A | 4.9 MEDIUM |
| An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 9.3 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 allows a project maintainer to access the DataDog integration API key from webhook logs. | |||||
| CVE-2021-39715 | 1 Google | 1 Android | 2023-08-08 | 2.1 LOW | 4.4 MEDIUM |
| In __show_regs of process.c, there is a possible leak of kernel memory and addresses due to log information disclosure. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-178379135References: Upstream kernel | |||||
| CVE-2022-34826 | 1 Couchbase | 1 Couchbase Server | 2023-08-08 | N/A | 5.9 MEDIUM |
| In Couchbase Server 7.1.x before 7.1.1, an encrypted Private Key passphrase may be leaked in the logs. | |||||
| CVE-2023-36494 | 1 F5 | 1 F5os-a | 2023-08-07 | N/A | 4.4 MEDIUM |
| Audit logs on F5OS-A may contain undisclosed sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2022-41618 | 1 Davidlingren | 1 Media Library Assistant | 2023-08-07 | N/A | 5.3 MEDIUM |
| Unauthenticated Error Log Disclosure vulnerability in Media Library Assistant plugin <= 3.00 on WordPress. | |||||
| CVE-2023-31426 | 1 Broadcom | 1 Fabric Operating System | 2023-08-04 | N/A | 6.5 MEDIUM |
| The Brocade Fabric OS Commands “configupload” and “configdownload” before Brocade Fabric OS v9.1.1c, v8.2.3d, v9.2.0 print scp, sftp, ftp servers passwords in supportsave. This could allow a remote authenticated attacker to access sensitive information. | |||||
| CVE-2022-0338 | 1 Loguru Project | 1 Loguru | 2023-08-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| Insertion of Sensitive Information into Log File in Conda loguru prior to 0.5.3. | |||||
| CVE-2023-32478 | 1 Dell | 1 Powerstoreos | 2023-07-31 | N/A | 4.9 MEDIUM |
| Dell PowerStore versions prior to 3.5.0.1 contain an insertion of sensitive information into log file vulnerability. A high privileged malicious user could potentially exploit this vulnerability, leading to sensitive information disclosure. | |||||
| CVE-2023-32455 | 1 Dell | 10 Latitude 3420, Latitude 3440, Latitude 5440 and 7 more | 2023-07-28 | N/A | 5.5 MEDIUM |
| Dell Wyse ThinOS versions prior to 2208 (9.3.2102) contain a sensitive information disclosure vulnerability. An unauthenticated malicious user with local access to the device could exploit this vulnerability to read sensitive information written to the log files. | |||||
| CVE-2023-32446 | 1 Dell | 10 Latitude 3420, Latitude 3440, Latitude 5440 and 7 more | 2023-07-28 | N/A | 5.5 MEDIUM |
| Dell Wyse ThinOS versions prior to 2303 (9.4.1141) contain a sensitive information disclosure vulnerability. An unauthenticated malicious user with local access to the device could exploit this vulnerability to read sensitive information written to the log files. | |||||
| CVE-2023-32447 | 1 Dell | 10 Latitude 3420, Latitude 3440, Latitude 5440 and 7 more | 2023-07-28 | N/A | 5.5 MEDIUM |
| Dell Wyse ThinOS versions prior to 2306 (9.4.2103) contain a sensitive information disclosure vulnerability. A malicious user with local access to the device could exploit this vulnerability to read sensitive information written to the log files. | |||||
| CVE-2023-32392 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2023-07-27 | N/A | 5.5 MEDIUM |
| A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, macOS Big Sur 11.7.7, macOS Monterey 12.6.6, iOS 16.5 and iPadOS 16.5. An app may be able to read sensitive location information. | |||||
| CVE-2023-37224 | 1 Archerirm | 1 Archer | 2023-07-26 | N/A | 5.5 MEDIUM |
| An issue in Archer Platform before v.6.13 fixed in v.6.12.0.6 and v.6.13.0 allows an authenticated attacker to obtain sensitive information via the log files. | |||||
| CVE-2021-40364 | 1 Siemens | 2 Simatic Pcs 7, Simatic Wincc | 2022-07-28 | 2.1 LOW | 5.5 MEDIUM |
| A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP3 UC04), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1), SIMATIC WinCC V15 and earlier (All versions < V15 SP1 Update 7), SIMATIC WinCC V16 (All versions < V16 Update 5), SIMATIC WinCC V17 (All versions < V17 Update 2), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 19), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 5). The affected systems store sensitive information in log files. An attacker with access to the log files could publicly expose the information or reuse it to develop further attacks on the system. | |||||
| CVE-2022-36321 | 1 Jetbrains | 1 Teamcity | 2022-07-27 | N/A | 6.5 MEDIUM |
| In JetBrains TeamCity before 2022.04.2 the private SSH key could be written to the build log in some cases | |||||
| CVE-2019-15507 | 1 Octopus | 1 Server | 2022-07-27 | 3.5 LOW | 6.5 MEDIUM |
| In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited special-characters circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.7. The fix was back-ported to LTS 2019.6.7 as well as LTS 2019.3.8. | |||||
| CVE-2019-15508 | 1 Octopus | 2 Server, Tentacle | 2022-07-27 | 3.5 LOW | 6.5 MEDIUM |
| In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy is configured, an authenticated user (in certain limited OctopusPrintVariables circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 5.0.1. The fix was back-ported to 4.0.7. | |||||