Total
926 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-35719 | 1 Ibm | 1 Mq Internet Pass-thru | 2025-04-25 | 5.1 Medium |
| IBM MQ Internet Pass-Thru 2.1, 9.2 LTS and 9.2 CD stores potentially sensitive information in trace files that could be read by a local user. | ||||
| CVE-2022-2721 | 1 Octopus | 1 Octopus Server | 2025-04-25 | 7.5 High |
| In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled. | ||||
| CVE-2024-22464 | 1 Dell | 1 Emc Appsync | 2025-04-24 | 6.2 Medium |
| Dell EMC AppSync, versions from 4.2.0.0 to 4.6.0.0 including all Service Pack releases, contain an exposure of sensitive information vulnerability in AppSync server logs. A high privileged remote attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable system with privileges of the compromised account. | ||||
| CVE-2022-24757 | 1 Jupyter | 1 Jupyter Server | 2025-04-23 | 7.5 High |
| The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications. Prior to version 1.15.4, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter Server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter Server version 1.15.4 contains a patch for this issue. There are currently no known workarounds. | ||||
| CVE-2022-24758 | 1 Jupyter | 1 Notebook | 2025-04-23 | 7.5 High |
| The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter notebook version 6.4.x contains a patch for this issue. There are currently no known workarounds. | ||||
| CVE-2022-24875 | 1 Cve | 1 Cve-services | 2025-04-23 | 5.3 Medium |
| The CVEProject/cve-services is an open source project used to operate the CVE services api. In versions up to and including 1.1.1 the `org.conroller.js` code would erroneously log user secrets. This has been resolved in commit `46d98f2b` and should be available in subsequent versions of the software. Users of the software are advised to manually apply the `46d98f2b` commit or to update when a new version becomes available. As a workaround users should inspect their logs and remove logged secrets as appropriate. | ||||
| CVE-2022-31047 | 1 Typo3 | 1 Typo3 | 2025-04-23 | 5.3 Medium |
| TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, system internal credentials or keys (e.g. database credentials) can be logged as plaintext in exception handlers, when logging the complete exception stack trace. TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, 11.5.11 contain a fix for the problem. | ||||
| CVE-2022-31098 | 1 Weave | 1 Weave Gitops | 2025-04-23 | 9 Critical |
| Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in the logging of Weave GitOps could allow an authenticated remote attacker to view sensitive cluster configurations, aka KubeConfg, of registered Kubernetes clusters, including the service account tokens in plain text from Weave GitOps's pod logs on the management cluster. An unauthorized remote attacker can also view these sensitive configurations from external log storage if enabled by the management cluster. This vulnerability is due to the client factory dumping cluster configurations and their service account tokens when the cluster manager tries to connect to an API server of a registered cluster, and a connection error occurs. An attacker could exploit this vulnerability by either accessing logs of a pod of Weave GitOps, or from external log storage and obtaining all cluster configurations of registered clusters. A successful exploit could allow the attacker to use those cluster configurations to manage the registered Kubernetes clusters. This vulnerability has been fixed by commit 567356f471353fb5c676c77f5abc2a04631d50ca. Users should upgrade to Weave GitOps core version v0.8.1-rc.6 or newer. There is no known workaround for this vulnerability. | ||||
| CVE-2022-31186 | 1 Next-auth | 1 Nextauth.js | 2025-04-23 | 3.3 Low |
| NextAuth.js is a complete open source authentication solution for Next.js applications. An information disclosure vulnerability in `next-auth` before `v4.10.2` and `v3.29.9` allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log (which is thrown during OAuth error handling) and use it to leverage further attacks on the system, like impersonating the client to ask for extensive permissions. This issue has been patched in `v4.10.2` and `v3.29.9` by moving the log for `provider` information to the debug level. In addition, we added a warning for having the `debug: true` option turned on in production. If for some reason you cannot upgrade, you can user the `logger` configuration option by sanitizing the logs. | ||||
| CVE-2022-31119 | 1 Nextcloud | 1 Mail | 2025-04-23 | 3.1 Low |
| Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions of Nextcloud mail would log user passwords to disk in the event of a misconfiguration. Should an attacker gain access to the logs complete access to affected accounts would be obtainable. It is recommended that the Nextcloud Mail is upgraded to 1.12.1. Operators should inspect their logs and remove passwords which have been logged. There are no workarounds to prevent logging in the event of a misconfiguration. | ||||
| CVE-2023-6746 | 1 Github | 1 Enterprise Server | 2025-04-23 | 8.1 High |
| An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server back-end service that could permit an `adversary in the middle attack` when combined with other phishing techniques. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server appliance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. | ||||
| CVE-2022-39897 | 1 Google | 1 Android | 2025-04-23 | 4.4 Medium |
| Exposure of Sensitive Information vulnerability in kernel prior to SMR Dec-2022 Release 1 allows attackers to access the kernel address information via log. | ||||
| CVE-2025-2300 | 2025-04-23 | 5.5 Medium | ||
| Hitachi Ops Center Common Services within Hitachi Ops Center OVA contains an information exposure vulnerability. This issue affects Hitachi Ops Center Common Services: from 11.0.3-00 before 11.0.4-00. | ||||
| CVE-2025-2092 | 2025-04-23 | N/A | ||
| Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p29, <2.2.0p41 and <=2.1.0p49 (EOL) causes remote site authentication secrets to be written to log files accessible to administrators. | ||||
| CVE-2022-33187 | 1 Broadcom | 1 Brocade Sannav | 2025-04-22 | 5.5 Medium |
| Brocade SANnav before v2.2.1 logs usernames and encoded passwords in debug-enabled logs. The vulnerability could allow an attacker with admin privilege to read sensitive information. | ||||
| CVE-2022-23469 | 1 Traefik | 1 Traefik | 2025-04-22 | 3.5 Low |
| Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header are displayed in the debug logs. Attackers must have access to a users logging system in order for credentials to be stolen. This issue has been addressed in version 2.9.6. Users are advised to upgrade. Users unable to upgrade may set the log level to `INFO`, `WARN`, or `ERROR`. | ||||
| CVE-2016-8233 | 1 Lenovo | 1 Xclarity Administrator | 2025-04-20 | N/A |
| Log files generated by Lenovo XClarity Administrator (LXCA) versions earlier than 1.2.2 may contain user credentials in a non-secure, clear text form that could be viewed by a non-privileged user. | ||||
| CVE-2017-6165 | 1 F5 | 12 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 9 more | 2025-04-20 | N/A |
| In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM, and WebSafe 11.5.1 HF6 through 11.5.4 HF4, 11.6.0 through 11.6.1 HF1, and 12.0.0 through 12.1.2 on VIPRION platforms only, the script which synchronizes SafeNet External Network HSM configuration elements between blades in a clustered deployment will log the HSM partition password in cleartext to the "/var/log/ltm" log file. | ||||
| CVE-2015-3243 | 1 Rsyslog | 1 Rsyslog | 2025-04-20 | N/A |
| rsyslog uses weak permissions for generating log files, which allows local users to obtain sensitive information by reading files in /var/log/cron. | ||||
| CVE-2017-8001 | 2 Dell, Linux | 2 Emc Scaleio, Linux Kernel | 2025-04-20 | 8.4 High |
| An issue was discovered in EMC ScaleIO 2.0.1.x. In a Linux environment, one of the support scripts saves the credentials of the ScaleIO MDM user who executed the script in clear text in temporary log files. The temporary files may potentially be read by an unprivileged user with access to the server where the script was executed to recover exposed credentials. | ||||