Total
979 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-31417 | 1 Elastic | 1 Elasticsearch | 2025-02-13 | N/A | 4.1 MEDIUM |
| Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. It was found that this filtering was not applied when requests to Elasticsearch use certain deprecated URIs for APIs. The impact of this flaw is that sensitive information such as passwords and tokens might be printed in cleartext in Elasticsearch audit logs. Note that audit logging is disabled by default and needs to be explicitly enabled and even when audit logging is enabled, request bodies that could contain sensitive information are not printed to the audit log unless explicitly configured. | |||||
| CVE-2023-2878 | 1 Kubernetes | 1 Secrets-store-csi-driver | 2025-02-13 | N/A | 6.5 MEDIUM |
| Kubernetes secrets-store-csi-driver in versions before 1.3.3 discloses service account tokens in logs. | |||||
| CVE-2024-52067 | 1 Apache | 1 Nifi | 2025-02-11 | N/A | 4.9 MEDIUM |
| Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Parameter Context values during the flow synchronization process. An authorized administrator with access to change logging levels could enable debug logging for framework flow synchronization, causing the application to write Parameter names and values to the application log. Parameter Context values may contain sensitive information depending on application flow configuration. Deployments of Apache NiFi with the default Logback configuration do not log Parameter Context values. Upgrading to Apache NiFi 2.0.0 or 1.28.1 is the recommendation mitigation, eliminating Parameter value logging from the flow synchronization process regardless of the Logback configuration. | |||||
| CVE-2023-23591 | 1 Terminalfour | 1 Terminalfour | 2025-02-10 | N/A | 4.9 MEDIUM |
| The Logback component in Terminalfour before 8.3.14.1 allows OS administrators to obtain sensitive information from application server logs when debug logging is enabled. The fixed versions are 8.2.18.7, 8.2.18.2.2, 8.3.11.1, and 8.3.14.1. | |||||
| CVE-2025-23374 | 1 Dell | 1 Enterprise Sonic Distribution | 2025-02-07 | N/A | 8.0 HIGH |
| Dell Networking Switches running Enterprise SONiC OS, version(s) prior to 4.4.1 and 4.2.3, contain(s) an Insertion of Sensitive Information into Log File vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. | |||||
| CVE-2024-2302 | 1 Awesomemotive | 1 Easy Digital Downloads | 2025-02-07 | N/A | 5.3 MEDIUM |
| The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.9. This makes it possible for unauthenticated attackers to download the debug log via Directory Listing. This file may include PII. | |||||
| CVE-2023-30610 | 1 Amazon | 1 Aws-sigv4 | 2025-02-05 | N/A | 5.5 MEDIUM |
| aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The `aws_sigv4::SigningParams` struct had a derived `Debug` implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is enabled for an SDK, `SigningParams` is printed, thereby revealing those credentials to anyone with access to logs. All users of the AWS SDK for Rust who enabled TRACE-level logging, either globally (e.g. `RUST_LOG=trace`), or for the `aws-sigv4` crate specifically are affected. This issue has been addressed in a set of new releases. Users are advised to upgrade. Users unable to upgrade should disable TRACE-level logging for AWS Rust SDK crates. | |||||
| CVE-2022-2084 | 1 Canonical | 2 Cloud-init, Ubuntu Linux | 2025-02-05 | N/A | 5.5 MEDIUM |
| Sensitive data could be exposed in world readable logs of cloud-init before version 22.3 when schema failures are reported. This leak could include hashed passwords. | |||||
| CVE-2021-3429 | 1 Canonical | 1 Cloud-init | 2025-02-05 | N/A | 5.5 MEDIUM |
| When instructing cloud-init to set a random password for a new user account, versions before 21.2 would write that password to the world-readable log file /var/log/cloud-init-output.log. This could allow a local user to log in as another user. | |||||
| CVE-2023-31056 | 1 Cloverdx | 1 Cloverdx | 2025-02-04 | N/A | 9.1 CRITICAL |
| CloverDX before 5.17.3 writes passwords to the audit log in certain situations, if the audit log is enabled and single sign-on is not employed. The fixed versions are 5.15.4, 5.16.2, 5.17.3, and 6.0.x. | |||||
| CVE-2022-43936 | 1 Broadcom | 1 Brocade Sannav | 2025-02-04 | N/A | 6.8 MEDIUM |
| Brocade SANnav versions before 2.2.2 log Brocade Fabric OS switch passwords when debugging is enabled. | |||||
| CVE-2022-43937 | 1 Broadcom | 1 Brocade Sannav | 2025-02-04 | N/A | 5.7 MEDIUM |
| Possible information exposure through log file vulnerability where sensitive fields are recorded in the debug-enabled logs when debugging is turned on in Brocade SANnav before 2.3.0 and 2.2.2a | |||||
| CVE-2022-43935 | 1 Broadcom | 1 Brocade Sannav | 2025-02-04 | N/A | 5.3 MEDIUM |
| An information exposure through log file vulnerability exists in Brocade SANnav before Brocade SANnav 2.2.2, where Brocade Fabric OS Switch passwords and authorization IDs are printed in the embedded MLS DB file. | |||||
| CVE-2022-43933 | 1 Broadcom | 1 Brocade Sannav | 2025-02-04 | N/A | 4.4 MEDIUM |
| An information exposure through log file vulnerability exists in Brocade SANnav before Brocade SANnav 2.2.2, where configuration secrets are logged in supportsave. Supportsave file is generated by an admin user troubleshooting the switch. The Logged information may include usernames and passwords, and secret keys. | |||||
| CVE-2024-29955 | 1 Broadcom | 1 Brocade Sannav | 2025-02-04 | N/A | 5.0 MEDIUM |
| A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a could allow a privileged user to print the SANnav encrypted key in PostgreSQL startup logs. This could provide attackers with an additional, less-protected path to acquiring the encryption key. | |||||
| CVE-2024-29957 | 1 Broadcom | 1 Brocade Sannav | 2025-02-04 | N/A | 7.5 HIGH |
| When Brocade SANnav before v2.3.1 and v2.3.0a servers are configured in Disaster Recovery mode, the encryption key is stored in the DR log files. This could provide attackers with an additional, less-protected path to acquiring the encryption key. | |||||
| CVE-2024-29958 | 1 Broadcom | 1 Brocade Sannav | 2025-02-04 | N/A | 7.5 HIGH |
| A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a prints the encryption key in the console when a privileged user executes the script to replace the Brocade SANnav Management Portal standby node. This could provide attackers an additional, less protected path to acquiring the encryption key. | |||||
| CVE-2024-29959 | 1 Broadcom | 1 Brocade Sannav | 2025-02-04 | N/A | 8.6 HIGH |
| A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a prints Brocade Fabric OS switch encrypted passwords in the Brocade SANnav Standby node's support save. | |||||
| CVE-2025-24556 | 2025-02-03 | N/A | 7.5 HIGH | ||
| Insertion of Sensitive Information into Log File vulnerability in DualCube MooWoodle allows Retrieve Embedded Sensitive Data. This issue affects MooWoodle: from n/a through 3.2.4. | |||||
| CVE-2024-25030 | 1 Ibm | 1 Db2 | 2025-01-31 | N/A | 6.2 MEDIUM |
| IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 281677. | |||||