Total
979 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-6802 | 1 Github | 1 Enterprise Server | 2024-11-21 | 7.2 High |
| An insertion of sensitive information into the log file in the audit log in GitHub Enterprise Server was identified that could allow an attacker to gain access to the management console. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server appliance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. | ||||
| CVE-2023-6687 | 1 Elastic | 1 Elastic Agent | 2024-11-21 | 6.8 Medium |
| An issue was discovered by Elastic whereby Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code except 409 or 429. Depending on the nature of the event that Elastic Agent attempted to ingest, this could lead to the insertion of sensitive or private information in the Elastic Agent logs. Elastic has released 8.11.3 and 7.17.16 that prevents this issue by limiting these types of logs to DEBUG level logging, which is disabled by default. | ||||
| CVE-2023-6460 | 1 Google | 1 Cloud Firestore | 2024-11-21 | 4 Medium |
| A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this issue | ||||
| CVE-2023-6287 | 1 Tribe29 | 1 Checkmk Appliance Firmware | 2024-11-21 | 3.3 Low |
| Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.8 allows local attacker to retrieve passwords via reading log files. | ||||
| CVE-2023-5499 | 1 Reachfargps | 2 Reachfar Gps, Reachfar Gps Firmware | 2024-11-21 | 7.5 High |
| Information exposure vulnerability in Shenzhen Reachfar v28, the exploitation of which could allow a remote attacker to retrieve all the week's logs stored in the 'log2' directory. An attacker could retrieve sensitive information such as remembered wifi networks, sent messages, SOS device locations and device configurations. | ||||
| CVE-2023-5339 | 1 Mattermost | 1 Mattermost Desktop | 2024-11-21 | 4.7 Medium |
| Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged. | ||||
| CVE-2023-5182 | 1 Canonical | 1 Subiquity | 2024-11-21 | 5.5 Medium |
| Sensitive data could be exposed in logs of subiquity version 23.09.1 and earlier. An attacker in the adm group could use this information to find hashed passwords and possibly escalate their privilege. | ||||
| CVE-2023-52143 | 1 Noorsplugin | 1 Wp Stripe Checkout | 2024-11-21 | 7.5 High |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Naa986 WP Stripe Checkout.This issue affects WP Stripe Checkout: from n/a through 1.2.2.37. | ||||
| CVE-2023-51508 | 1 Meowapps | 1 Database Cleaner | 2024-11-21 | 5.3 Medium |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Jordy Meow Database Cleaner: Clean, Optimize & Repair.This issue affects Database Cleaner: Clean, Optimize & Repair: from n/a through 0.9.8. | ||||
| CVE-2023-4688 | 4 Acronis, Apple, Linux and 1 more | 4 Agent, Macos, Linux Kernel and 1 more | 2024-11-21 | 5.5 Medium |
| Sensitive information leak through log files. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 35433. | ||||
| CVE-2023-4108 | 1 Mattermost | 1 Mattermost | 2024-11-21 | 4.5 Medium |
| Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged | ||||
| CVE-2023-49921 | 1 Elastic | 1 Elasticsearch | 2024-11-21 | 5.2 Medium |
| An issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. This could lead to raw contents of documents stored in Elasticsearch to be printed in logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by removing this excessive logging. This issue only affects users that use Watcher and have a Watch defined that uses the search input and additionally have set the search input’s logger to DEBUG or finer, for example using: org.elasticsearch.xpack.watcher.input.search, org.elasticsearch.xpack.watcher.input, org.elasticsearch.xpack.watcher, or wider, since the loggers are hierarchical. | ||||
| CVE-2023-48708 | 1 Codeigniter | 1 Shield | 2024-11-21 | 5 Medium |
| CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. In affected versions successful login attempts are recorded with the raw tokens stored in the log table. If a malicious person somehow views the data in the log table they can obtain a raw token which can then be used to send a request with that user's authority. This issue has been addressed in version 1.0.0-beta.8. Users are advised to upgrade. Users unable to upgrade should disable logging for successful login attempts by the configuration files. | ||||
| CVE-2023-47390 | 1 Juanfont | 1 Headscale | 2024-11-21 | 7.5 High |
| Headscale through 0.22.3 writes bearer tokens to info-level logs. | ||||
| CVE-2023-47131 | 4 Google, Microsoft, Mozilla and 1 more | 4 Chrome, Edge, Firefox and 1 more | 2024-11-21 | 7.5 High |
| The N-able PassPortal extension before 3.29.2 for Chrome inserts sensitive information into a log file. | ||||
| CVE-2023-46671 | 1 Elastic | 1 Kibana | 2024-11-21 | 8 High |
| An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Elastic has released Kibana 8.11.1 which resolves this issue. The error message recorded in the log may contain account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users. The issue occurs infrequently, only if an error is returned from an Elasticsearch cluster, in cases where there is user interaction and an unhealthy cluster (for example, when returning circuit breaker or no shard exceptions). | ||||
| CVE-2023-46668 | 1 Elastic | 1 Endpoint | 2024-11-21 | 4.6 Medium |
| If Elastic Endpoint (v7.9.0 - v8.10.3) is configured to use a non-default option in which the logging level is explicitly set to debug, and when Elastic Agent is simultaneously configured to collect and send those logs to Elasticsearch, then Elastic Agent API keys can be viewed in Elasticsearch in plaintext. These API keys could be used to write arbitrary data and read Elastic Endpoint user artifacts. | ||||
| CVE-2023-46667 | 1 Elastic | 1 Fleet Server | 2024-11-21 | 8.1 High |
| An issue was discovered in Fleet Server >= v8.10.0 and < v8.10.3 where Agent enrolment tokens are being inserted into the Fleet Server’s log file in plain text. These enrolment tokens could allow someone to enrol an agent into an agent policy, and potentially use that to retrieve other secrets in the policy including for Elasticsearch and third-party services. Alternatively a threat actor could potentially enrol agents to the clusters and send arbitrary events to Elasticsearch. | ||||
| CVE-2023-46255 | 1 Authzed | 1 Spicedb | 2024-11-21 | 4.2 Medium |
| SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed (e.g. by having a password which contains `:`) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0-rc1 patches this issue. | ||||
| CVE-2023-45825 | 1 Ydb | 1 Ydb-go-sdk | 2024-11-21 | 5.5 Medium |
| ydb-go-sdk is a pure Go native and database/sql driver for the YDB platform. Since ydb-go-sdk v3.48.6 if you use a custom credentials object (implementation of interface Credentials it may leak into logs. This happens because this object could be serialized into an error message using `fmt.Errorf("something went wrong (credentials: %q)", credentials)` during connection to the YDB server. If such logging occurred, a malicious user with access to logs could read sensitive information (i.e. credentials) information and use it to get access to the database. ydb-go-sdk contains this problem in versions from v3.48.6 to v3.53.2. The fix for this problem has been released in version v3.53.3. Users are advised to upgrade. Users unable to upgrade should implement the `fmt.Stringer` interface in your custom credentials type with explicit stringify of object state. | ||||