Total
926 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-15113 | 2 Ovirt, Redhat | 3 Ovirt, Rhev Manager, Virtualization | 2024-11-21 | N/A |
| ovirt-engine before version 4.1.7.6 with log level set to DEBUG includes passwords in the log file without masking. Only administrators can change the log level and only administrators can access the logs. This presents a risk when debug-level logs are shared with vendors or other parties to troubleshoot issues. | ||||
| CVE-2017-1000401 | 1 Jenkins | 1 Jenkins | 2024-11-21 | N/A |
| The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged. | ||||
| CVE-2017-0361 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-11-21 | N/A |
| Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in plaintext. | ||||
| CVE-2016-10819 | 1 Cpanel | 1 Cpanel | 2024-11-21 | N/A |
| In cPanel before 57.9999.54, user log files become world-readable when rotated by cpanellogd (SEC-125). | ||||
| CVE-2016-10526 | 1 Grunt-gh-pages Project | 1 Grunt-gh-pages | 2024-11-21 | N/A |
| A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised. | ||||
| CVE-2016-0898 | 1 Vmware | 1 Pivotal Software Mysql | 2024-11-21 | 10.0 Critical |
| MySQL for PCF tiles 1.7.x before 1.7.10 were discovered to log the AWS access key in plaintext. These credentials were logged to the Service Backup component logs, and not the system log, thus were not exposed outside the Service Backup VM. | ||||
| CVE-2015-9543 | 1 Openstack | 1 Nova | 2024-11-21 | 3.3 Low |
| An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is related to NovaProxyRequestHandlerBase.new_websocket_client in console/websocketproxy.py. | ||||
| CVE-2015-1343 | 1 Canonical | 1 Ubuntu Linux | 2024-11-21 | N/A |
| All versions of unity-scope-gdrive logs search terms to syslog. | ||||
| CVE-2014-3536 | 1 Redhat | 1 Cloudforms Management Engine | 2024-11-21 | 5.5 Medium |
| CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration | ||||
| CVE-2013-1771 | 1 Monkey-project | 1 Monkey | 2024-11-21 | 7.5 High |
| The web server Monkeyd produces a world-readable log (/var/log/monkeyd/master.log) on gentoo. | ||||
| CVE-2012-1156 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2024-11-21 | 7.5 High |
| Moodle before 2.2.2 has users' private files included in course backups | ||||
| CVE-2024-11193 | 2024-11-15 | 6.5 Medium | ||
| An information disclosure vulnerability exists in Yugabyte Anywhere, where the LDAP bind password is logged in plaintext within application logs. This flaw results in the unintentional exposure of sensitive information in Yugabyte Anywhere logs, potentially allowing unauthorized users with access to these logs to view the LDAP bind password. An attacker with log access could exploit this vulnerability to gain unauthorized access to the LDAP server, leading to potential exposure or compromise of LDAP-managed resources This issue affects YugabyteDB Anywhere: from 2.20.0.0 before 2.20.7.0, from 2.23.0.0 before 2.23.1.0, from 2024.1.0.0 before 2024.1.3.0. | ||||
| CVE-2024-52009 | 2024-11-12 | N/A | ||
| Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-51528 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-07 | 4 Medium |
| Vulnerability of improper log printing in the Super Home Screen module Impact: Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2024-51752 | 2024-11-06 | N/A | ||
| The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In affected versions refresh tokens are logged to the console when the disabled by default `debug` flag, is enabled. This issue has been patched in version 0.13.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-51753 | 2024-11-06 | N/A | ||
| The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In affected versions refresh tokens are logged to the console when the disabled by default `debug` flag, is enabled. This issue has been patched in version 0.4.1. All users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-49750 | 1 Snowflake | 1 Snowflake Connector | 2024-11-06 | 5.5 Medium |
| The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Prior to version 3.12.3, when the logging level was set by the user to DEBUG, the Connector could have logged Duo passcodes (when specified via the `passcode` parameter) and Azure SAS tokens. Additionally, the SecretDetector logging formatter, if enabled, contained bugs which caused it to not fully redact JWT tokens and certain private key formats. Snowflake released version 3.12.3 of the Snowflake Connector for Python, which fixes the issue. In addition to upgrading, users should review their logs for any potentially sensitive information that may have been captured. | ||||
| CVE-2024-44205 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2024-11-05 | 5.5 Medium |
| A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.6.8, macOS Monterey 12.7.6, iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. A sandboxed app may be able to access sensitive user data in system logs. | ||||
| CVE-2024-10544 | 1 Prasidhda | 1 Woo Manage Fraud Orders | 2024-11-01 | 5.3 Medium |
| The Woo Manage Fraud Orders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.1.7 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information about users contained in the exposed log files. | ||||
| CVE-2024-44239 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2024-10-30 | 5.5 Medium |
| An information disclosure issue was addressed with improved private data redaction for log entries. This issue is fixed in tvOS 18.1, iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, macOS Ventura 13.7.1, macOS Sonoma 14.7.1, watchOS 11.1, visionOS 2.1. An app may be able to leak sensitive kernel state. | ||||