Total
89 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-32549 | 1 Apache | 2 Sling Api, Sling Commons Log | 2024-11-21 | 5.3 Medium |
| Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files. | ||||
| CVE-2022-22151 | 1 Yokogawa | 9 Centum Cs 3000, Centum Cs 3000 Entry, Centum Cs 3000 Entry Firmware and 6 more | 2024-11-21 | 8.1 High |
| CAMS for HIS Log Server contained in the following Yokogawa Electric products fails to properly neutralize log outputs: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, and Exaopc versions from R3.72.00 to R3.79.00. | ||||
| CVE-2021-43410 | 1 Apache | 1 Airavata Django Portal | 2024-11-21 | 5.3 Medium |
| Apache Airavata Django Portal allows CRLF log injection because of lack of escaping log statements. In particular, some HTTP request parameters are logged without first being escaped. Versions affected: master branch before commit 3c5d8c7 [1] of airavata-django-portal [1] https://github.com/apache/airavata-django-portal/commit/3c5d8c72bfc3eb0af8693a655a5d60f9273f8170 | ||||
| CVE-2021-42250 | 1 Apache | 1 Superset | 2024-11-21 | 6.5 Medium |
| Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs. | ||||
| CVE-2021-23266 | 1 Craftercms | 1 Crafter Cms | 2024-11-21 | 4.3 Medium |
| An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator. | ||||
| CVE-2021-22096 | 4 Netapp, Oracle, Redhat and 1 more | 12 Active Iq Unified Manager, Management Services For Element Software And Netapp Hci, Metrocluster Tiebreaker and 9 more | 2024-11-21 | 4.3 Medium |
| In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. | ||||
| CVE-2021-20333 | 1 Mongodb | 1 Mongodb | 2024-11-21 | 5.3 Medium |
| Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versions prior to 4.2.10. | ||||
| CVE-2020-8566 | 2 Kubernetes, Redhat | 2 Kubernetes, Openshift | 2024-11-21 | 4.7 Medium |
| In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims. This affects < v1.19.3, < v1.18.10, < v1.17.13. | ||||
| CVE-2020-8565 | 2 Kubernetes, Redhat | 3 Kubernetes, Openshift Container Storage, Openshift Data Foundation | 2024-11-21 | 4.7 Medium |
| In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2. | ||||
| CVE-2020-8564 | 2 Kubernetes, Redhat | 2 Kubernetes, Openshift | 2024-11-21 | 4.7 Medium |
| In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. This affects < v1.19.3, < v1.18.10, < v1.17.13. | ||||
| CVE-2020-8563 | 2 Kubernetes, Redhat | 2 Kubernetes, Openshift | 2024-11-21 | 4.7 Medium |
| In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3. | ||||
| CVE-2020-4072 | 1 Jhipster | 1 Generator-jhipster-kotlin | 2024-11-21 | 5.3 Medium |
| In generator-jhipster-kotlin version 1.6.0 log entries are created for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forge log entries. This is vulnerable to https://cwe.mitre.org/data/definitions/117.html This problem affects only application generated with jwt or session authentication. Applications using oauth are not vulnerable. This issue has been fixed in version 1.7.0. | ||||
| CVE-2020-25646 | 1 Ansible Collections Project | 1 Community.crypto | 2024-11-21 | 7.5 High |
| A flaw was found in Ansible Collection community.crypto. openssl_privatekey_info exposes private key in logs. This directly impacts confidentiality | ||||
| CVE-2020-14332 | 2 Debian, Redhat | 2 Debian Linux, Ansible Engine | 2024-11-21 | 5.5 Medium |
| A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality. | ||||
| CVE-2020-11644 | 1 Br-automation | 6 Gatemanager 4260, Gatemanager 4260 Firmware, Gatemanager 8250 and 3 more | 2024-11-21 | 6.5 Medium |
| The information disclosure vulnerability present in B&R GateManager 4260 and 9250 versions <9.0.20262 and GateManager 8250 versions <9.2.620236042 allows authenticated users to generate fake audit log messages. | ||||
| CVE-2019-14864 | 3 Debian, Opensuse, Redhat | 9 Debian Linux, Backports Sle, Leap and 6 more | 2024-11-21 | 6.5 Medium |
| Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data. | ||||
| CVE-2019-14858 | 1 Redhat | 3 Ansible Engine, Ansible Tower, Openstack | 2024-11-21 | 5.5 Medium |
| A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task. | ||||
| CVE-2019-14854 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-11-21 | 6.5 Medium |
| OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user. | ||||
| CVE-2019-14846 | 3 Debian, Opensuse, Redhat | 6 Debian Linux, Backports Sle, Leap and 3 more | 2024-11-21 | 7.8 High |
| In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process. | ||||
| CVE-2019-13509 | 1 Docker | 1 Docker | 2024-11-21 | N/A |
| In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret. | ||||