| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability. |
| An issue was discovered whereby Elastic Agent will leak secrets from the agent policy elastic-agent.yml only when the log level is configured to debug. By default the log level is set to info, where no leak occurs. |
| Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability. |
| Under certain error conditions at time of SANnav installation or upgrade, the encryption key can be written into and obtained from a Brocade SANnav supportsave. An attacker with privileged access to the Brocade SANnav database could use the encryption key to obtain passwords used by Brocade SANnav. |
| Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream real-time application logs (information disclosure) and/or gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs. Version 1.12.0 contains a fix for the issue. |
| The BWOCXRUN.BwocxrunCtrl.1 control contains a method named
OpenUrlToBufferTimeout. This method takes a URL as a parameter and
returns its contents to the caller in JavaScript. The URLs are accessed
in the security context of the current browser session. The control does
not perform any URL validation and allows file:// URLs that access the
local disk.
The method can be used to open a URL (including file URLs) and read
the URLs through JavaScript. This method could also be used to reach any
arbitrary URL to which the browser has access. |
| The BWOCXRUN.BwocxrunCtrl.1 control contains a method named
“OpenUrlToBuffer.” This method takes a URL as a parameter and returns
its contents to the caller in JavaScript. The URLs are accessed in the
security context of the current browser session. The control does not
perform any URL validation and allows “file://” URLs that access the
local disk.
The method can be used to open a URL (including file URLs) and read
file URLs through JavaScript. This method could also be used to reach
any arbitrary URL to which the browser has access. |
| The Yii 2 Redis extension provides the redis key-value store support for the Yii framework 2.0. On failing connection, the extension writes commands sequence to logs. Prior to version 2.0.20, AUTH parameters are written in plain text exposing username and password. That might be an issue if attacker has access to logs. Version 2.0.20 fixes the issue. |
| Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p22, <2.2.0p37, <2.1.0p50 (EOL) causes remote site secrets to be written to web log files accessible to local site users. |
| A cleartext storage of sensitive information vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to reveal firewall usernames, passwords, and API keys generated using those credentials. |
| IBM UrbanCode Deploy (UCD) through 7.1.2.21, 7.2 through 7.2.3.14, and 7.3 through 7.3.2.0 / IBM DevOps Deploy 8.0 through 8.0.1.4 and 8.1 through 8.1
stores potentially sensitive authentication token information in log files that could be read by a local user. |
| IBM InfoSphere Information Server 11.7 could disclose sensitive user credentials from log files during new installation of the product. |
| VMware vRealize Operations contains an information disclosure vulnerability. A low-privileged malicious actor with network access can access log files that lead to information disclosure. |
| Brocade SANnav before Brocade SANnav 2.4.0a could log database passwords in clear text in audit logs when the daily data dump collector invokes docker exec commands. These audit logs are the local server VM’s audit logs and are not controlled by SANnav. These logs are only visible to the server admin of the host server and are not visible to the SANnav admin or any SANnav user. |
| TYPO3 is a free and open source Content Management Framework. It has been discovered that the install tool password has been logged as plaintext in case the password hashing mechanism used for the password was incorrect. Users are advised to update to TYPO3 versions 13.4.3 ELTS which fixes the problem described. There are no known workarounds for this vulnerability. |
| IBM QRadar SIEM 7.5 through 7.5.0 Update Package 12 stores potentially sensitive information in log files that could be read by a local user. |
| Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p29, <2.2.0p41 and <=2.1.0p49 (EOL) causes remote site authentication secrets to be written to log files accessible to administrators. |
| Snowflake, a platform for using artificial intelligence in the context of cloud computing, has a vulnerability in the Snowflake JDBC driver ("Driver") in versions 3.0.13 through 3.23.0 of the driver. When the logging level was set to DEBUG, the Driver would log locally the client-side encryption master key of the target stage during the execution of GET/PUT commands. This key by itself does not grant access to any sensitive data without additional access authorizations, and is not logged server-side by Snowflake. Snowflake fixed the issue in version 3.23.1. |
| Tuleap is an Open Source Suite to improve management of software developments and collaboration. The password to connect the Redis instance is not purged from the archive generated with tuleap collect-system-data. These archives are likely to be used by support teams that should not have access to this password. The vulnerability is fixed in Tuleap Community Edition 16.4.99.1740492866 and Tuleap Enterprise Edition 16.4-6 and 16.3-11. |
| In JetBrains TeamCity before 2025.07.1 aWS credentials were exposed in Docker script files |
