Total
796 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-3827 | 1 Elastic | 1 Azure Repository | 2024-02-28 | 4.3 MEDIUM | 8.1 HIGH |
A sensitive data disclosure flaw was found in the Elasticsearch repository-azure (formerly elasticsearch-cloud-azure) plugin. When the repository-azure plugin is set to log at TRACE level Azure credentials can be inadvertently logged. | |||||
CVE-2019-0266 | 1 Sap | 1 Hana Extended Application Services | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Under certain conditions SAP HANA Extended Application Services, version 1.0, advanced model (XS advanced) writes credentials of platform users to a trace file of the SAP HANA system. Even though this trace file is protected from unauthorized access, the risk of leaking information is increased. | |||||
CVE-2018-19014 | 1 Draeger | 8 Delta Xl, Delta Xl Firmware, Infinity Delta and 5 more | 2024-02-28 | 3.3 LOW | 6.5 MEDIUM |
Drager Infinity Delta, Infinity Delta, all versions, Delta XL, all versions, Kappa, all version, and Infinity Explorer C700, all versions. Log files are accessible over an unauthenticated network connection. By accessing the log files, an attacker is able to gain insights about internals of the patient monitor, the location of the monitor, and wired network configuration. | |||||
CVE-2018-15004 | 1 Coolpad | 2 Canvas, Canvas Firmware | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
The Coolpad Canvas device with a build fingerprint of Coolpad/cp3636a/cp3636a:7.0/NRD90M/093031423:user/release-keys contains a platform app with a package name of com.qualcomm.qti.modemtestmode (versionCode=24, versionName=7.0) that contains an exported service app component named com.qualcomm.qti.modemtestmode.MbnTestService that allows any app on the device to set certain system properties as the com.android.phone user. When an app sets the persist.service.logr.enable system property to a value of 1, an app with a package name of com.yulong.logredirect (versionCode=20160622, versionName=5.25_20160622_01) will start writing the system-wide logcat log, kernel log, and a tcpdump network traffic capture to external storage. Furthermore, on the Coolpad Canvas device, the com.android.phone app writes the destination phone number and body of the text message for outgoing text messages. A notification when logging can be avoided if the log is enabled after device startup and disabled prior to device shutdown by setting the system properties using the exported interface of the com.qualcomm.qti.modemtestmode app. Any app with the READ_EXTERNAL_STORAGE permission can access the log files. | |||||
CVE-2019-8944 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files. | |||||
CVE-2019-3500 | 4 Aria2 Project, Canonical, Debian and 1 more | 4 Aria2, Ubuntu Linux, Debian Linux and 1 more | 2024-02-28 | 2.1 LOW | 7.8 HIGH |
aria2c in aria2 1.33.1, when --log is used, can store an HTTP Basic Authentication username and password in a file, which might allow local users to obtain sensitive information by reading this file. | |||||
CVE-2018-3776 | 1 Nextcloud | 1 Nextcloud Server | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit log. | |||||
CVE-2018-1999036 | 1 Jenkins | 1 Ssh Agent | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
An exposure of sensitive information vulnerability exists in Jenkins SSH Agent Plugin 1.15 and earlier in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log. | |||||
CVE-2017-1198 | 1 Ibm | 1 Bigfix Compliance | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
IBM BigFix Compliance 1.7 through 1.9.91 (TEMA SUAv1 SCA SCM) stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 123673. | |||||
CVE-2018-17922 | 1 Circontrol | 2 Circarlife, Circarlife Firmware | 2024-02-28 | 5.0 MEDIUM | 9.8 CRITICAL |
Circontrol CirCarLife all versions prior to 4.3.1, the PAP credentials of the device are stored in clear text in a log file that is accessible without authentication. | |||||
CVE-2018-6599 | 1 Orbic | 2 Wonder Rc555l, Wonder Rc555l Firmware | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
An issue was discovered on Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys devices, allowing attackers to obtain sensitive information (such as text-message content) by reading a copy of the Android log on the SD card. The system-wide Android logs are not directly available to third-party apps since they tend to contain sensitive data. Third-party apps can read from the log but only the log messages that the app itself has written. Certain apps can leak data to the Android log due to not sanitizing log messages, which is in an insecure programming practice. Pre-installed system apps and apps that are signed with the framework key can read from the system-wide Android log. We found a pre-installed app on the Orbic Wonder that when started via an Intent will write the Android log to the SD card, also known as external storage, via com.ckt.mmitest.MmiMainActivity. Any app that requests the READ_EXTERNAL_STORAGE permission can read from the SD card. Therefore, a local app on the device can quickly start a specific component in the pre-installed system app to have the Android log written to the SD card. Therefore, any app co-located on the device with the READ_EXTERNAL_STORAGE permission can obtain the data contained within the Android log and continually monitor it and mine the log for relevant data. In addition, the default messaging app (com.android.mms) writes the body of sent and received text messages to the Android log, as well as the recipient phone number for sent text messages and the sending phone number for received text messages. In addition, any call data contains phone numbers for sent and received calls. | |||||
CVE-2018-16889 | 1 Redhat | 1 Ceph | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Versions up to v13.2.4 are vulnerable. | |||||
CVE-2018-15797 | 1 Pivotal Software | 1 Cloud Foundry Nfs Volume | 2024-02-28 | 4.0 MEDIUM | 8.8 HIGH |
Cloud Foundry NFS volume release, 1.2.x prior to 1.2.5, 1.5.x prior to 1.5.4, 1.7.x prior to 1.7.3, logs the cf admin username and password when running the nfsbrokerpush BOSH deploy errand. A remote authenticated user with access to BOSH can obtain the admin credentials for the Cloud Foundry Platform through the logs of the NFS volume deploy errand. | |||||
CVE-2018-1198 | 1 Pivotal Software | 1 Pivotal Cloud Cache | 2024-02-28 | 4.0 MEDIUM | 8.8 HIGH |
Pivotal Cloud Cache, versions prior to 1.3.1, prints a superuser password in plain text during BOSH deployment logs. A malicious user with access to the logs could escalate their privileges using this password. | |||||
CVE-2018-15763 | 1 Pivotal Software | 1 Pivotal Container Service | 2024-02-28 | 4.0 MEDIUM | 8.8 HIGH |
Pivotal Container Service, versions prior to 1.2.0, contains an information disclosure vulnerability which exposes IaaS credentials to application logs. A malicious user with access to application logs may be able to obtain IaaS credentials and perform actions using these credentials. | |||||
CVE-2019-4008 | 1 Ibm | 1 Api Connect | 2024-02-28 | 5.0 MEDIUM | 9.8 CRITICAL |
API Connect V2018.1 through 2018.4.1.1 is impacted by access token leak. Authorization tokens in some URLs can result in the tokens being written to log files. IBM X-Force ID: 155626. | |||||
CVE-2019-0029 | 1 Juniper | 3 Advanced Threat Prevention, Atp400, Atp700 | 2024-02-28 | 2.1 LOW | 7.8 HIGH |
Juniper ATP Series Splunk credentials are logged in a file readable by authenticated local users. Using these credentials an attacker can access the Splunk server. This issue affects Juniper ATP 5.0 versions prior to 5.0.3. | |||||
CVE-2018-14995 | 1 Zteusa | 8 Zte Blade Spark, Zte Blade Spark Firmware, Zte Blade Vantage and 5 more | 2024-02-28 | 1.9 LOW | 4.7 MEDIUM |
The ZTE Blade Vantage Android device with a build fingerprint of ZTE/Z839/sweet:7.1.1/NMF26V/20180120.095344:user/release-keys, the ZTE Blade Spark Android device with a build fingerprint of ZTE/Z971/peony:7.1.1/NMF26V/20171129.143111:user/release-keys, the ZTE ZMAX Pro Android device with a build fingerprint of ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys, and the ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contain a pre-installed platform app with a package name of com.android.modem.service (versionCode=25, versionName=7.1.1; versionCode=23, versionName=6.0.1) that exports an interface to any app on co-located on the device. Using the exported interface of the com.android.modem.service app, any app can enable and obtain certain log files (modem and logcat) without the appropriate corresponding access permissions. The modem logs contain the phone number and full text body of incoming and outgoing text messages in binary format. In addition, the modem log contains the phone numbers for both incoming and outgoing phone calls. The system-wide logcat logs (those obtained via the logcat binary) tend to contain sensitive user data. Third-party apps are prevented from directly reading the system-wide logcat logs. The capability to read from the system-wide logcat logs is only available to pre-installed system apps and platform apps. The modem log and/or logcat log, once activated, get written to external storage (SD card). An app aware of this vulnerability can enable the logs, parse them for relevant data, and exfiltrate them from the device. The modem log and logcat log are inactive by default, but a third-party app with no permissions can activate them, although the app will need to be granted the READ_EXTERNAL_STORAGE permission to access them. | |||||
CVE-2018-15002 | 1 Vivo | 2 V7, V7 Firmware | 2024-02-28 | 1.9 LOW | 4.7 MEDIUM |
The Vivo V7 device with a build fingerprint of vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys allows any app co-located on the device to set system properties as the com.android.phone user. The com.qualcomm.qti.modemtestmode app (versionCode=25, versionName=7.1.2) that contains an exported service named com.qualcomm.qti.modemtestmode.MbnTestService that allows any app co-located on the device to provide key-value pairs to set certain system properties. Notably, system properties with the persist.* prefix can be set which will survive a reboot. On the Vivo V7 device, when the persist.sys.input.log property is set to have a value of yes, the user's screen touches be written to the logcat log by the InputDispatcher for all apps. The system-wide logcat log can be obtained from external storage via a different known vulnerability on the device. The READ_EXTERNAL_STORAGE permission is necessary to access the log files containing the user's touch coordinates. With some effort, the user's touch coordinates can be mapped to key presses on a keyboard. | |||||
CVE-2018-19865 | 2 Opensuse, Qt | 2 Leap, Qt | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3. |