Total
810 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-23791 | 1 Otrs | 1 Otrs | 2024-02-02 | N/A | 7.5 HIGH |
| Insertion of debug information into log file during building the elastic search index allows reading of sensitive information from articles.This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1. | |||||
| CVE-2024-21668 | 1 Mrousavy | 1 React-native-mmkv | 2024-01-16 | N/A | 4.9 MEDIUM |
| react-native-mmkv is a library that allows easy use of MMKV inside React Native applications. Before version 2.11.0, the react-native-mmkv logged the optional encryption key for the MMKV database into the Android system log. The key can be obtained by anyone with access to the Android Debugging Bridge (ADB) if it is enabled in the phone settings. This bug is not present on iOS devices. By logging the encryption secret to the system logs, attackers can trivially recover the secret by enabling ADB and undermining an app's thread model. This issue has been patched in version 2.11.0. | |||||
| CVE-2023-50253 | 1 Laf | 1 Laf | 2024-01-11 | N/A | 6.5 MEDIUM |
| Laf is a cloud development platform. In the Laf version design, the log uses communication with k8s to quickly retrieve logs from the container without the need for additional storage. However, in version 1.0.0-beta.13 and prior, this interface does not verify the permissions of the pod, which allows authenticated users to obtain any pod logs under the same namespace through this method, thereby obtaining sensitive information printed in the logs. As of time of publication, no known patched versions exist. | |||||
| CVE-2023-46742 | 1 Linuxfoundation | 1 Cubefs | 2024-01-10 | N/A | 6.5 MEDIUM |
| CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves. The issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS. | |||||
| CVE-2023-40338 | 1 Jenkins | 1 Folders | 2024-01-02 | N/A | 4.3 MEDIUM |
| Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier displays an error message that includes an absolute path of a log file when attempting to access the Scan Organization Folder Log if no logs are available, exposing information about the Jenkins controller file system. | |||||
| CVE-2023-4380 | 1 Redhat | 4 Ansible Automation Platform, Ansible Developer, Ansible Inside and 1 more | 2024-01-01 | N/A | 6.3 MEDIUM |
| A logic flaw exists in Ansible Automation platform. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability. | |||||
| CVE-2023-6802 | 1 Github | 1 Enterprise Server | 2023-12-29 | N/A | 6.5 MEDIUM |
| An insertion of sensitive information into the log file in the audit log in GitHub Enterprise Server was identified that could allow an attacker to gain access to the management console. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server appliance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. | |||||
| CVE-2021-20178 | 2 Fedoraproject, Redhat | 3 Fedora, Ansible, Ansible Tower | 2023-12-28 | 2.1 LOW | 5.5 MEDIUM |
| A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality. | |||||
| CVE-2021-3447 | 2 Fedoraproject, Redhat | 3 Fedora, Ansible, Ansible Tower | 2023-12-28 | 2.1 LOW | 5.5 MEDIUM |
| A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2. | |||||
| CVE-2021-20191 | 2 Oracle, Redhat | 8 Virtualization, Ansible, Ansible Tower and 5 more | 2023-12-28 | 2.1 LOW | 5.5 MEDIUM |
| A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected. | |||||
| CVE-2023-45809 | 1 Torchbox | 1 Wagtail | 2023-12-28 | N/A | 2.7 LOW |
| Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 4.1.8 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-40442 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2023-12-22 | N/A | 3.3 LOW |
| A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Big Sur 11.7.9, iOS 15.7.8 and iPadOS 15.7.8, macOS Monterey 12.6.8. An app may be able to read sensitive location information. | |||||
| CVE-2023-40392 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2023-12-22 | N/A | 3.3 LOW |
| A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.5. An app may be able to read sensitive location information. | |||||
| CVE-2021-25284 | 3 Debian, Fedoraproject, Saltstack | 3 Debian Linux, Fedora, Salt | 2023-12-21 | 1.9 LOW | 4.4 MEDIUM |
| An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level. | |||||
| CVE-2018-2372 | 1 Sap | 1 Hana Extended Application Services | 2023-12-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A plain keystore password is written to a system log file in SAP HANA Extended Application Services, 1.0, which could endanger confidentiality of SSL communication. | |||||
| CVE-2023-6687 | 1 Elastic | 1 Elastic Agent | 2023-12-19 | N/A | 6.5 MEDIUM |
| An issue was discovered by Elastic whereby Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code except 409 or 429. Depending on the nature of the event that Elastic Agent attempted to ingest, this could lead to the insertion of sensitive or private information in the Elastic Agent logs. Elastic has released 8.11.3 and 7.17.16 that prevents this issue by limiting these types of logs to DEBUG level logging, which is disabled by default. | |||||
| CVE-2023-5499 | 1 Reachfargps | 2 Reachfar Gps, Reachfar Gps Firmware | 2023-12-19 | N/A | 7.5 HIGH |
| Information exposure vulnerability in Shenzhen Reachfar v28, the exploitation of which could allow a remote attacker to retrieve all the week's logs stored in the 'log2' directory. An attacker could retrieve sensitive information such as remembered wifi networks, sent messages, SOS device locations and device configurations. | |||||
| CVE-2023-49922 | 1 Elastic | 1 Elastic Beats | 2023-12-19 | N/A | 6.5 MEDIUM |
| An issue was discovered by Elastic whereby Beats and Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code except 409 or 429. Depending on the nature of the event that Beats or Elastic Agent attempted to ingest, this could lead to the insertion of sensitive or private information in the Beats or Elastic Agent logs. Elastic has released 8.11.3 and 7.17.16 that prevents this issue by limiting these types of logs to DEBUG level logging, which is disabled by default. | |||||
| CVE-2023-49923 | 1 Elastic | 1 Enterprise Search | 2023-12-19 | N/A | 6.5 MEDIUM |
| An issue was discovered by Elastic whereby the Documents API of App Search logged the raw contents of indexed documents at INFO log level. Depending on the contents of such documents, this could lead to the insertion of sensitive or private information in the App Search logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by changing the log level at which these are logged to DEBUG, which is disabled by default. | |||||
| CVE-2023-46671 | 1 Elastic | 1 Kibana | 2023-12-18 | N/A | 6.5 MEDIUM |
| An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Elastic has released Kibana 8.11.1 which resolves this issue. The error message recorded in the log may contain account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users. The issue occurs infrequently, only if an error is returned from an Elasticsearch cluster, in cases where there is user interaction and an unhealthy cluster (for example, when returning circuit breaker or no shard exceptions). | |||||