Filtered by CWE-532
Filtered by vendor Subscriptions
Total 853 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2015-3243 1 Rsyslog 1 Rsyslog 2024-11-21 N/A
rsyslog uses weak permissions for generating log files, which allows local users to obtain sensitive information by reading files in /var/log/cron.
CVE-2015-1343 1 Canonical 1 Ubuntu Linux 2024-11-21 N/A
All versions of unity-scope-gdrive logs search terms to syslog.
CVE-2014-7231 2 Openstack, Redhat 4 Cinder, Nova, Trove and 1 more 2024-11-21 N/A
The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log.
CVE-2014-7230 3 Canonical, Openstack, Redhat 5 Ubuntu Linux, Cinder, Nova and 2 more 2024-11-21 N/A
The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log.
CVE-2014-3536 1 Redhat 1 Cloudforms Management Engine 2024-11-21 5.5 Medium
CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
CVE-2014-1948 2 Openstack, Redhat 2 Image Registry And Delivery Service \(glance\), Openstack 2024-11-21 N/A
OpenStack Image Registry and Delivery Service (Glance) 2013.2 through 2013.2.1 and Icehouse before icehouse-2 logs a URL containing the Swift store backend password when authentication fails and WARNING level logging is enabled, which allows local users to obtain sensitive information by reading the log.
CVE-2014-0059 1 Redhat 7 Jboss Bpms, Jboss Brms, Jboss Data Grid and 4 more 2024-11-21 N/A
JBoss SX and PicketBox, as used in Red Hat JBoss Enterprise Application Platform (EAP) before 6.2.3, use world-readable permissions on audit.log, which allows local users to obtain sensitive information by reading this file.
CVE-2013-6384 1 Openstack 1 Ceilometer 2024-11-21 N/A
(1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to obtain sensitive information (the DB2 or MongoDB password) by reading the log file.
CVE-2013-1771 1 Monkey-project 1 Monkey 2024-11-21 7.5 High
The web server Monkeyd produces a world-readable log (/var/log/monkeyd/master.log) on gentoo.
CVE-2012-1156 3 Fedoraproject, Moodle, Redhat 3 Fedora, Moodle, Enterprise Linux 2024-11-21 7.5 High
Moodle before 2.2.2 has users' private files included in course backups
CVE-2011-1943 2 Fedoraproject, Gnome 2 Fedora, Networkmanager 2024-11-21 N/A
The destroy_one_secret function in nm-setting-vpn.c in libnm-util in the NetworkManager package 0.8.999-3.git20110526 in Fedora 15 creates a log entry containing a certificate password, which allows local users to obtain sensitive information by reading a log file.
CVE-2001-1556 1 Apache 1 Http Server 2024-11-21 3.3 Low
The log files in Apache web server contain information directly supplied by clients and does not filter or quote control characters, which could allow remote attackers to hide HTTP requests and spoof source IP addresses when logs are viewed with UNIX programs such as cat, tail, and grep.
CVE-2024-11193 2024-11-15 6.5 Medium
An information disclosure vulnerability exists in Yugabyte Anywhere, where the LDAP bind password is logged in plaintext within application logs. This flaw results in the unintentional exposure of sensitive information in Yugabyte Anywhere logs, potentially allowing unauthorized users with access to these logs to view the LDAP bind password. An attacker with log access could exploit this vulnerability to gain unauthorized access to the LDAP server, leading to potential exposure or compromise of LDAP-managed resources This issue affects YugabyteDB Anywhere: from 2.20.0.0 before 2.20.7.0, from 2.23.0.0 before 2.23.1.0, from 2024.1.0.0 before 2024.1.3.0.
CVE-2024-52009 2024-11-12 N/A
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-51528 1 Huawei 2 Emui, Harmonyos 2024-11-07 4 Medium
Vulnerability of improper log printing in the Super Home Screen module Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2024-51752 2024-11-06 N/A
The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In affected versions refresh tokens are logged to the console when the disabled by default `debug` flag, is enabled. This issue has been patched in version 0.13.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-51753 2024-11-06 N/A
The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In affected versions refresh tokens are logged to the console when the disabled by default `debug` flag, is enabled. This issue has been patched in version 0.4.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-49750 1 Snowflake 1 Snowflake Connector 2024-11-06 5.5 Medium
The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Prior to version 3.12.3, when the logging level was set by the user to DEBUG, the Connector could have logged Duo passcodes (when specified via the `passcode` parameter) and Azure SAS tokens. Additionally, the SecretDetector logging formatter, if enabled, contained bugs which caused it to not fully redact JWT tokens and certain private key formats. Snowflake released version 3.12.3 of the Snowflake Connector for Python, which fixes the issue. In addition to upgrading, users should review their logs for any potentially sensitive information that may have been captured.
CVE-2024-44205 1 Apple 3 Ipados, Iphone Os, Macos 2024-11-06 5.5 Medium
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.6.8, macOS Monterey 12.7.6, iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. A sandboxed app may be able to access sensitive user data in system logs.
CVE-2024-10544 1 Prasidhda 1 Woo Manage Fraud Orders 2024-11-01 5.3 Medium
The Woo Manage Fraud Orders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.1.7 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information about users contained in the exposed log files.