Total
810 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-46675 | 1 Elastic | 1 Kibana | 2023-12-18 | N/A | 6.5 MEDIUM |
| An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error or in the event where debug level logging is enabled in Kibana. Elastic has released Kibana 8.11.2 which resolves this issue. The messages recorded in the log may contain Account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users, Elastic Security package policy objects which can contain private keys, bearer token, and sessions of 3rd-party integrations and finally Authorization headers, client secrets, local file paths, and stack traces. The issue may occur in any Kibana instance running an affected version that could potentially receive an unexpected error when communicating to Elasticsearch causing it to include sensitive data into Kibana error logs. It could also occur under specific circumstances when debug level logging is enabled in Kibana. Note: It was found that the fix for ESA-2023-25 in Kibana 8.11.1 for a similar issue was incomplete. | |||||
| CVE-2023-36649 | 1 Prolion | 1 Cryptospike | 2023-12-14 | N/A | 9.1 CRITICAL |
| Insertion of sensitive information in the centralized (Grafana) logging system in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate other users in web management and the REST API by reading JWT tokens from logs (as a Granafa authenticated user) or from the Loki REST API without authentication. | |||||
| CVE-2023-6460 | 1 Google | 1 Cloud Firestore | 2023-12-08 | N/A | 5.5 MEDIUM |
| A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this issue | |||||
| CVE-2023-48708 | 1 Codeigniter | 1 Shield | 2023-11-30 | N/A | 6.5 MEDIUM |
| CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. In affected versions successful login attempts are recorded with the raw tokens stored in the log table. If a malicious person somehow views the data in the log table they can obtain a raw token which can then be used to send a request with that user's authority. This issue has been addressed in version 1.0.0-beta.8. Users are advised to upgrade. Users unable to upgrade should disable logging for successful login attempts by the configuration files. | |||||
| CVE-2021-22143 | 1 Elastic | 1 Apm .net Agent | 2023-11-30 | N/A | 4.3 MEDIUM |
| The Elastic APM .NET Agent can leak sensitive HTTP header information when logging the details during an application error. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application error it is possible the headers will not be sanitized before being sent. | |||||
| CVE-2023-4677 | 1 Artica | 1 Pandora Fms | 2023-11-30 | N/A | 9.8 CRITICAL |
| Cron log backup files contain administrator session IDs. It is trivial for any attacker who can reach the Pandora FMS Console to scrape the cron logs directory for cron log backups. The contents of these log files can then be abused to authenticate to the application as an administrator. This issue affects Pandora FMS <= 772. | |||||
| CVE-2023-25682 | 1 Ibm | 1 Sterling B2b Integrator | 2023-11-30 | N/A | 5.5 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.8 and 6.1.0.0 through 6.1.2.1 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 247034. | |||||
| CVE-2022-29869 | 3 Debian, Fedoraproject, Samba | 3 Debian Linux, Fedora, Cifs-utils | 2023-11-24 | 4.3 MEDIUM | 5.3 MEDIUM |
| cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file. | |||||
| CVE-2023-32283 | 1 Intel | 1 On Demand | 2023-11-21 | N/A | 5.5 MEDIUM |
| Insertion of sensitive information into log file in some Intel(R) On Demand software before versions 1.16.2, 2.1.1, 3.1.0 may allow an authenticated user to potentially enable information disclosure via local access. | |||||
| CVE-2023-47390 | 1 Juanfont | 1 Headscale | 2023-11-17 | N/A | 7.5 HIGH |
| Headscale through 0.22.3 writes bearer tokens to info-level logs. | |||||
| CVE-2022-46647 | 4 Apple, Google, Intel and 1 more | 4 Iphone Os, Android, Unison Software and 1 more | 2023-11-17 | N/A | 5.5 MEDIUM |
| Insertion of sensitive information into log file for some Intel Unison software may allow an authenticated user to potentially enable information disclosure via local access. | |||||
| CVE-2023-0436 | 1 Mongodb | 1 Atlas Kubernetes Operator | 2023-11-14 | N/A | 7.5 HIGH |
| The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled. This issue affects MongoDB Atlas Kubernetes Operator versions: 1.5.0, 1.6.0, 1.6.1, 1.7.0. Please note that this is reported on an EOL version of the product, and users are advised to upgrade to the latest supported version. Required Configuration: DEBUG logging is not enabled by default, and must be configured by the end-user. To check the log-level of the Operator, review the flags passed in your deployment configuration (eg. https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 ) | |||||
| CVE-2023-46255 | 1 Authzed | 1 Spicedb | 2023-11-08 | N/A | 6.5 MEDIUM |
| SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed (e.g. by having a password which contains `:`) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0-rc1 patches this issue. | |||||
| CVE-2023-30721 | 1 Samsung | 1 Android | 2023-11-07 | N/A | 4.4 MEDIUM |
| Insertion of sensitive information into log vulnerability in Locksettings prior to SMR Sep-2023 Release 1 allows a privileged local attacker to get lock screen match information from the log. | |||||
| CVE-2023-26207 | 1 Fortinet | 2 Fortios, Fortiproxy | 2023-11-07 | N/A | 6.5 MEDIUM |
| An insertion of sensitive information into log file vulnerability in Fortinet FortiOS 7.2.0 through 7.2.4 and FortiProxy 7.0.0 through 7.0.10. 7.2.0 through 7.2.1 allows an attacker to read certain passwords in plain text. | |||||
| CVE-2023-25604 | 1 Fortinet | 1 Fortiguest | 2023-11-07 | N/A | 5.5 MEDIUM |
| An insertion of sensitive information into log file vulnerability in Fortinet FortiGuest 1.0.0 allows a local attacker to access plaintext passwords in the RADIUS logs. | |||||
| CVE-2023-25687 | 1 Ibm | 1 Security Key Lifecycle Manager | 2023-11-07 | N/A | 4.3 MEDIUM |
| IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 could allow an authenticated user to obtain sensitive information from log files. IBM X-Force ID: 247602. | |||||
| CVE-2023-24827 | 1 Anchore | 1 Syft | 2023-11-07 | N/A | 7.5 HIGH |
| syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. A password disclosure flaw was found in Syft versions v0.69.0 and v0.69.1. This flaw leaks the password stored in the SYFT_ATTEST_PASSWORD environment variable. The `SYFT_ATTEST_PASSWORD` environment variable is for the `syft attest` command to generate attested SBOMs for the given container image. This environment variable is used to decrypt the private key (provided with `syft attest --key <path-to-key-file>`) during the signing process while generating an SBOM attestation. This vulnerability affects users running syft that have the `SYFT_ATTEST_PASSWORD` environment variable set with credentials (regardless of if the attest command is being used or not). Users that do not have the environment variable `SYFT_ATTEST_PASSWORD` set are not affected by this issue. The credentials are leaked in two ways: in the syft logs when `-vv` or `-vvv` are used in the syft command (which is any log level >= `DEBUG`) and in the attestation or SBOM only when the `syft-json` format is used. Note that as of v0.69.0 any generated attestations by the `syft attest` command are uploaded to the OCI registry (if you have write access to that registry) in the same way `cosign attach` is done. This means that any attestations generated for the affected versions of syft when the `SYFT_ATTEST_PASSWORD` environment variable was set would leak credentials in the attestation payload uploaded to the OCI registry. This issue has been patched in commit `9995950c70` and has been released as v0.70.0. There are no workarounds for this vulnerability. Users are advised to upgrade. | |||||
| CVE-2023-22575 | 1 Dell | 1 Emc Powerscale Onefs | 2023-11-07 | N/A | 8.8 HIGH |
| Dell PowerScale OneFS 9.0.0.x - 9.4.0.x contain an insertion of sensitive information into log file vulnerability in celog. A low privileges user could potentially exploit this vulnerability, leading to information disclosure and escalation of privileges. | |||||
| CVE-2023-22572 | 1 Dell | 1 Emc Powerscale Onefs | 2023-11-07 | N/A | 7.8 HIGH |
| Dell PowerScale OneFS 9.1.0.x-9.4.0.x contain an insertion of sensitive information into log file vulnerability in change password api. A low privilege local attacker could potentially exploit this vulnerability, leading to system takeover. | |||||