Total
758 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-11292 | 1 Pivotal Software | 1 Operations Manager | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well. | |||||
| CVE-2019-11290 | 1 Cloudfoundry | 2 Cf-deployment, User Account And Authentication | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well. | |||||
| CVE-2019-10195 | 2 Fedoraproject, Freeipa | 2 Fedora, Freeipa | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA but is possible by third-party components. An attacker having access to system logs on FreeIPA masters could use this flaw to produce log file content with passwords exposed. | |||||
| CVE-2019-10084 | 1 Apache | 1 Impala | 2023-11-07 | 4.6 MEDIUM | 7.5 HIGH |
| In Apache Impala 2.7.0 to 3.2.0, an authenticated user with access to the IDs of active Impala queries or sessions can interact with those sessions or queries via a specially-constructed request and thereby potentially bypass authorization and audit mechanisms. Session and query IDs are unique and random, but have not been documented or consistently treated as sensitive secrets. Therefore they may be exposed in logs or interfaces. They were also not generated with a cryptographically secure random number generator, so are vulnerable to random number generator attacks that predict future IDs based on past IDs. Impala deployments with Apache Sentry or Apache Ranger authorization enabled may be vulnerable to privilege escalation if an authenticated attacker is able to hijack a session or query from another authenticated user with privileges not assigned to the attacker. Impala deployments with audit logging enabled may be vulnerable to incorrect audit logging as a user could undertake actions that were logged under the name of a different authenticated user. Constructing an attack requires a high degree of technical sophistication and access to the Impala system as an authenticated user. | |||||
| CVE-2019-0202 | 1 Apache | 1 Storm | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpoints. | |||||
| CVE-2018-7683 | 1 Microfocus | 1 Solutions Business Manager | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| Micro Focus Solutions Business Manager versions prior to 11.4 might reveal certain sensitive information in server log files. | |||||
| CVE-2018-7682 | 1 Microfocus | 1 Solutions Business Manager | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| Micro Focus Solutions Business Manager versions prior to 11.4 allows a user to invoke SBM RESTful services across domains. | |||||
| CVE-2018-20105 | 3 Opensuse, Suse, Yast2-rmt Project | 3 Leap, Suse Linux Enterprise Server, Yast2-rmt | 2023-11-07 | 2.1 LOW | 5.5 MEDIUM |
| A Inclusion of Sensitive Information in Log Files vulnerability in yast2-rmt of SUSE Linux Enterprise Server 15; openSUSE Leap allows local attackers to learn the password if they can access the log file. This issue affects: SUSE Linux Enterprise Server 15 yast2-rmt versions prior to 1.2.2. openSUSE Leap yast2-rmt versions prior to 1.2.2. | |||||
| CVE-2018-1350 | 1 Netiq | 1 Identity Manager | 2023-11-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| The NetIQ Identity Manager driver log file, in versions prior to 4.7, provides details that could aid in system enumeration. | |||||
| CVE-2018-1349 | 1 Netiq | 1 Identity Manager | 2023-11-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| The NetIQ Identity Manager driver log file, in versions prior to 4.7, provides details that could aid in system or configuration enumeration. | |||||
| CVE-2017-9278 | 1 Netiq | 1 Identity Manager | 2023-11-07 | 5.0 MEDIUM | 9.8 CRITICAL |
| The NetIQ Identity Manager Oracle EBS driver before 4.0.2.0 sent EBS logs containing the driver authentication password, potentially disclosing this to attackers able to read the EBS tables. | |||||
| CVE-2017-9271 | 2 Fedoraproject, Opensuse | 2 Fedora, Zypper | 2023-11-07 | 2.1 LOW | 3.3 LOW |
| The commandline package update tool zypper writes HTTP proxy credentials into its logfile, allowing local attackers to gain access to proxies used. | |||||
| CVE-2017-7434 | 1 Netiq | 1 Identity Manager | 2023-11-07 | 5.0 MEDIUM | 9.8 CRITICAL |
| In the JDBC driver of NetIQ Identity Manager before 4.6 sending out incorrect XML configurations could result in passwords being logged into exception logfiles. | |||||
| CVE-2017-15113 | 2 Ovirt, Redhat | 2 Ovirt, Virtualization | 2023-11-07 | 3.5 LOW | 6.6 MEDIUM |
| ovirt-engine before version 4.1.7.6 with log level set to DEBUG includes passwords in the log file without masking. Only administrators can change the log level and only administrators can access the logs. This presents a risk when debug-level logs are shared with vendors or other parties to troubleshoot issues. | |||||
| CVE-2016-6799 | 1 Apache | 1 Cordova | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| Product: Apache Cordova Android 5.2.2 and earlier. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default, a maximum of four 16 KB rotated logs are kept in addition to the current log. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications. | |||||
| CVE-2023-21387 | 1 Google | 1 Android | 2023-11-07 | N/A | 4.4 MEDIUM |
| In User Backup Manager, there is a possible way to leak a token to bypass user confirmation for backup due to log information disclosure. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-46668 | 1 Elastic | 1 Endpoint | 2023-11-06 | N/A | 9.1 CRITICAL |
| If Elastic Endpoint (v7.9.0 - v8.10.3) is configured to use a non-default option in which the logging level is explicitly set to debug, and when Elastic Agent is simultaneously configured to collect and send those logs to Elasticsearch, then Elastic Agent API keys can be viewed in Elasticsearch in plaintext. These API keys could be used to write arbitrary data and read Elastic Endpoint user artifacts. | |||||
| CVE-2023-46667 | 1 Elastic | 1 Fleet Server | 2023-11-03 | N/A | 8.1 HIGH |
| An issue was discovered in Fleet Server >= v8.10.0 and < v8.10.3 where Agent enrolment tokens are being inserted into the Fleet Server’s log file in plain text. These enrolment tokens could allow someone to enrol an agent into an agent policy, and potentially use that to retrieve other secrets in the policy including for Elasticsearch and third-party services. Alternatively a threat actor could potentially enrol agents to the clusters and send arbitrary events to Elasticsearch. | |||||
| CVE-2023-31422 | 1 Elastic | 1 Kibana | 2023-11-03 | N/A | 7.5 HIGH |
| An issue was discovered by Elastic whereby sensitive information is recorded in Kibana logs in the event of an error. The issue impacts only Kibana version 8.10.0 when logging in the JSON layout or when the pattern layout is configured to log the %meta pattern. Elastic has released Kibana 8.10.1 which resolves this issue. The error object recorded in the log contains request information, which can include sensitive data, such as authentication credentials, cookies, authorization headers, query params, request paths, and other metadata. Some examples of sensitive data which can be included in the logs are account credentials for kibana_system, kibana-metricbeat, or Kibana end-users. | |||||
| CVE-2023-42857 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2023-11-02 | N/A | 3.3 LOW |
| A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sonoma 14.1, iOS 17.1 and iPadOS 17.1. An app may be able to access sensitive user data. | |||||