Vulnerabilities (CVE)

Filtered by CWE-532
Total 766 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-50740 2024-11-21 N/A 5.3 MEDIUM
In Apache Linkis <=1.4.0, The password is printed to the log when using the Oracle data source of the Linkis data source module.  We recommend users upgrade the version of Linkis to version 1.5.0
CVE-2023-4688 4 Acronis, Apple, Linux and 1 more 4 Agent, Macos, Linux Kernel and 1 more 2024-11-21 N/A 5.5 MEDIUM
Sensitive information leak through log files. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 35433.
CVE-2023-4677 1 Artica 1 Pandora Fms 2024-11-21 N/A 7.0 HIGH
Cron log backup files contain administrator session IDs. It is trivial for any attacker who can reach the Pandora FMS Console to scrape the cron logs directory for cron log backups. The contents of these log files can then be abused to authenticate to the application as an administrator. This issue affects Pandora FMS <= 772.
CVE-2023-4380 1 Redhat 4 Ansible Automation Platform, Ansible Developer, Ansible Inside and 1 more 2024-11-21 N/A 6.3 MEDIUM
A logic flaw exists in Ansible Automation platform. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability.
CVE-2023-4108 1 Mattermost 1 Mattermost 2024-11-21 N/A 4.5 MEDIUM
Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged
CVE-2023-49923 1 Elastic 1 Enterprise Search 2024-11-21 N/A 6.8 MEDIUM
An issue was discovered by Elastic whereby the Documents API of App Search logged the raw contents of indexed documents at INFO log level. Depending on the contents of such documents, this could lead to the insertion of sensitive or private information in the App Search logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by changing the log level at which these are logged to DEBUG, which is disabled by default.
CVE-2023-49922 1 Elastic 1 Elastic Beats 2024-11-21 N/A 6.8 MEDIUM
An issue was discovered by Elastic whereby Beats and Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code except 409 or 429. Depending on the nature of the event that Beats or Elastic Agent attempted to ingest, this could lead to the insertion of sensitive or private information in the Beats or Elastic Agent logs. Elastic has released 8.11.3 and 7.17.16 that prevents this issue by limiting these types of logs to DEBUG level logging, which is disabled by default.
CVE-2023-49921 1 Elastic 1 Elasticsearch 2024-11-21 N/A 5.2 MEDIUM
An issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. This could lead to raw contents of documents stored in Elasticsearch to be printed in logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by removing this excessive logging. This issue only affects users that use Watcher and have a Watch defined that uses the search input and additionally have set the search input’s logger to DEBUG or finer, for example using: org.elasticsearch.xpack.watcher.input.search, org.elasticsearch.xpack.watcher.input, org.elasticsearch.xpack.watcher, or wider, since the loggers are hierarchical.
CVE-2023-48708 1 Codeigniter 1 Shield 2024-11-21 N/A 5.0 MEDIUM
CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. In affected versions successful login attempts are recorded with the raw tokens stored in the log table. If a malicious person somehow views the data in the log table they can obtain a raw token which can then be used to send a request with that user's authority. This issue has been addressed in version 1.0.0-beta.8. Users are advised to upgrade. Users unable to upgrade should disable logging for successful login attempts by the configuration files.
CVE-2023-47390 1 Juanfont 1 Headscale 2024-11-21 N/A 7.5 HIGH
Headscale through 0.22.3 writes bearer tokens to info-level logs.
CVE-2023-47131 4 Google, Microsoft, Mozilla and 1 more 4 Chrome, Edge, Firefox and 1 more 2024-11-21 N/A 7.5 HIGH
The N-able PassPortal extension before 3.29.2 for Chrome inserts sensitive information into a log file.
CVE-2023-46742 2024-11-21 N/A 4.8 MEDIUM
CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves. The issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS.
CVE-2023-46675 1 Elastic 1 Kibana 2024-11-21 N/A 8.0 HIGH
An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error or in the event where debug level logging is enabled in Kibana. Elastic has released Kibana 8.11.2 which resolves this issue. The messages recorded in the log may contain Account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users, Elastic Security package policy objects which can contain private keys, bearer token, and sessions of 3rd-party integrations and finally Authorization headers, client secrets, local file paths, and stack traces. The issue may occur in any Kibana instance running an affected version that could potentially receive an unexpected error when communicating to Elasticsearch causing it to include sensitive data into Kibana error logs. It could also occur under specific circumstances when debug level logging is enabled in Kibana. Note: It was found that the fix for ESA-2023-25 in Kibana 8.11.1 for a similar issue was incomplete.
CVE-2023-46672 1 Elastic 1 Logstash 2024-11-21 N/A 8.4 HIGH
An issue was identified by Elastic whereby sensitive information is recorded in Logstash logs under specific circumstances. The prerequisites for the manifestation of this issue are: * Logstash is configured to log in JSON format https://www.elastic.co/guide/en/logstash/current/running-logstash-command-line.html , which is not the default logging format. * Sensitive data is stored in the Logstash keystore and referenced as a variable in Logstash configuration.
CVE-2023-46671 1 Elastic 1 Kibana 2024-11-21 N/A 8.0 HIGH
An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Elastic has released Kibana 8.11.1 which resolves this issue. The error message recorded in the log may contain account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users. The issue occurs infrequently, only if an error is returned from an Elasticsearch cluster, in cases where there is user interaction and an unhealthy cluster (for example, when returning circuit breaker or no shard exceptions).
CVE-2023-46668 1 Elastic 1 Endpoint 2024-11-21 N/A 4.6 MEDIUM
If Elastic Endpoint (v7.9.0 - v8.10.3) is configured to use a non-default option in which the logging level is explicitly set to debug, and when Elastic Agent is simultaneously configured to collect and send those logs to Elasticsearch, then Elastic Agent API keys can be viewed in Elasticsearch in plaintext. These API keys could be used to write arbitrary data and read Elastic Endpoint user artifacts.
CVE-2023-46667 1 Elastic 1 Fleet Server 2024-11-21 N/A 8.1 HIGH
An issue was discovered in Fleet Server >= v8.10.0 and < v8.10.3 where Agent enrolment tokens are being inserted into the Fleet Server’s log file in plain text. These enrolment tokens could allow someone to enrol an agent into an agent policy, and potentially use that to retrieve other secrets in the policy including for Elasticsearch and third-party services. Alternatively a threat actor could potentially enrol agents to the clusters and send arbitrary events to Elasticsearch.
CVE-2023-46255 1 Authzed 1 Spicedb 2024-11-21 N/A 4.2 MEDIUM
SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed (e.g. by having a password which contains `:`) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0-rc1 patches this issue.
CVE-2023-46215 1 Apache 2 Airflow, Airflow Celery Provider 2024-11-21 N/A 7.5 HIGH
Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend Note: the vulnerability is about the information exposed in the logs not about accessing the logs. This issue affects Apache Airflow Celery provider: from 3.3.0 through 3.4.0; Apache Airflow: from 1.10.0 through 2.6.3. Users are recommended to upgrade Airflow Celery provider to version 3.4.1 and Apache Airlfow to version 2.7.0 which fixes the issue.
CVE-2023-46171 2024-11-21 N/A 4.3 MEDIUM
IBM DS8900F HMC 89.21.19.0, 89.21.31.0, 89.30.68.0, 89.32.40.0, and 89.33.48.0 could allow an authenticated user to view sensitive log information after enumerating filenames. IBM X-Force ID: 269408.