Total
799 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-21933 | 1 Motorola | 2 Cx2, Cx2 Firmware | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n where the admin password and private key could be found in the log tar package. | |||||
CVE-2021-22516 | 1 Microfocus | 1 Secure Api Manager | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Insertion of Sensitive Information into Log File vulnerability in Micro Focus Secure API Manager (SAPIM) product, affecting version 2.0.0. The vulnerability could lead to sensitive information being in a log file. | |||||
CVE-2021-28131 | 1 Apache | 1 Impala | 2024-02-28 | 6.0 MEDIUM | 7.5 HIGH |
Impala sessions use a 16 byte secret to verify that the session is not being hijacked by another user. However, these secrets appear in the Impala logs, therefore Impala users with access to the logs can use another authenticated user's sessions with specially constructed requests. This means the attacker is able to execute statements for which they don't have the necessary privileges otherwise. Impala deployments with Apache Sentry or Apache Ranger authorization enabled may be vulnerable to privilege escalation if an authenticated attacker is able to hijack a session or query from another authenticated user with privileges not assigned to the attacker. Impala deployments with audit logging enabled may be vulnerable to incorrect audit logging as a user could undertake actions that were logged under the name of a different authenticated user. Constructing an attack requires a high degree of technical sophistication and access to the Impala system as an authenticated user. Mitigation: If an Impala deployment uses Apache Sentry, Apache Ranger or audit logging, then users should upgrade to a version of Impala with the fix for IMPALA-10600. The Impala 4.0 release includes this fix. This hides session secrets from the logs to eliminate the risk of any attack using this mechanism. In lieu of an upgrade, restricting access to logs that expose secrets will reduce the risk of an attack. Restricting access to the Impala deployment to trusted users will also reduce the risk of an attack. Log redaction techniques can be used to redact secrets from the logs. | |||||
CVE-2021-27019 | 1 Puppet | 2 Puppet Enterprise, Puppetdb | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
PuppetDB logging included potentially sensitive system information. | |||||
CVE-2021-22219 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 4.9 MEDIUM |
All versions of GitLab CE/EE starting from 9.5 before 13.10.5, all versions starting from 13.11 before 13.11.5, and all versions starting from 13.12 before 13.12.2 allow a high privilege user to obtain sensitive information from log files because the sensitive information was not correctly registered for log masking. | |||||
CVE-2021-32801 | 1 Nextcloud | 1 Nextcloud Server | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
Nextcloud server is an open source, self hosted personal cloud. In affected versions logging of exceptions may have resulted in logging potentially sensitive key material for the Nextcloud Encryption-at-Rest functionality. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. If upgrading is not an option users are advised to disable system logging to resolve this issue until such time that an upgrade can be performed Note that ff you do not use the Encryption-at-Rest functionality of Nextcloud you are not affected by this bug. | |||||
CVE-2021-32767 | 1 Typo3 | 1 Typo3 | 2024-02-28 | 3.5 LOW | 6.5 MEDIUM |
TYPO3 is an open source PHP based web content management system. In versions 9.0.0 through 9.5.27, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0, user credentials may been logged as plain-text. This occurs when explicitly using log level debug, which is not the default configuration. TYPO3 versions 9.5.28, 10.4.18, 11.3.1 contain a patch for this vulnerability. | |||||
CVE-2021-22024 | 1 Vmware | 3 Cloud Foundation, Vrealize Operations Manager, Vrealize Suite Lifecycle Manager | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The vRealize Operations Manager API (8.x prior to 8.5) contains an arbitrary log-file read vulnerability. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can read any log file resulting in sensitive information disclosure. | |||||
CVE-2021-39291 | 1 Netmodule | 16 Nb1600, Nb1601, Nb1800 and 13 more | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
Certain NetModule devices allow credentials via GET parameters to CLI-PHP. These models with firmware before 4.3.0.113, 4.4.0.111, and 4.5.0.105 are affected: NB800, NB1600, NB1601, NB1800, NB1810, NB2700, NB2710, NB2800, NB2810, NB3700, NB3701, NB3710, NB3711, NB3720, and NB3800. | |||||
CVE-2021-21601 | 1 Dell | 2 Emc Data Protection Search, Emc Integrated Data Protection Appliance | 2024-02-28 | 2.1 LOW | 7.8 HIGH |
Dell EMC Data Protection Search, 19.4 and prior, and IDPA, 2.6.1 and prior, contain an Information Exposure in Log File Vulnerability in CIS. A local low privileged attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with the privileges of the compromised account. | |||||
CVE-2021-21546 | 1 Dell | 1 Emc Networker | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
Dell EMC NetWorker versions 18.x,19.x prior to 19.3.0.4 and 19.4.0.0 contain an Information Disclosure in Log Files vulnerability. A local low-privileged user of the Networker server could potentially exploit this vulnerability to read plain-text credentials from server log files. | |||||
CVE-2021-21558 | 1 Dell | 1 Emc Networker | 2024-02-28 | 2.1 LOW | 4.4 MEDIUM |
Dell EMC NetWorker, 18.x, 19.1.x, 19.2.x 19.3.x, 19.4 and 19.4.0.1, contains an Information Disclosure vulnerability. A local administrator of the gstd system may potentially exploit this vulnerability to read LDAP credentials from local logs and use the stolen credentials to make changes to the network domain. | |||||
CVE-2021-35299 | 1 Zammad | 1 Zammad | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows attackers to obtain sensitive information via email connection configuration probing. | |||||
CVE-2021-29759 | 1 Ibm | 1 App Connect Enterprise Certified Container | 2024-02-28 | 2.1 LOW | 2.3 LOW |
IBM App Connect Enterprise Certified Container 1.0, 1.1, 1.2, and 1.3 could allow a privileged user to obtain sensitive information from internal log files. IBM X-Force ID: 202212. | |||||
CVE-2021-22929 | 1 Brave | 1 Brave | 2024-02-28 | 3.6 LOW | 6.1 MEDIUM |
An information disclosure exists in Brave Browser Desktop prior to version 1.28.62, where logged warning messages that included timestamps of connections to V2 onion domains in tor.log. | |||||
CVE-2021-25421 | 1 Samsung | 1 Galaxy Watch 3 Plugin | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
Improper log management vulnerability in Galaxy Watch3 PlugIn prior to version 2.2.09.21033151 allows attacker with log permissions to leak Wi-Fi password connected to the user smartphone within log. | |||||
CVE-2021-27022 | 1 Puppet | 2 Puppet, Puppet Enterprise | 2024-02-28 | 4.0 MEDIUM | 4.9 MEDIUM |
A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be. This issue only affects SSH/WinRM nodes (inventory service nodes). | |||||
CVE-2021-3425 | 1 Redhat | 1 Jboss A-mq | 2024-02-28 | 2.1 LOW | 4.4 MEDIUM |
A flaw was found in the AMQ Broker that discloses JDBC encrypted usernames and passwords when provided in the AMQ Broker application logfile when using the jdbc persistence functionality. Versions shipped in Red Hat AMQ 7 are vulnerable. | |||||
CVE-2021-26999 | 1 Netapp | 1 Cloud Manager | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
NetApp Cloud Manager versions prior to 3.9.9 log sensitive information when an Active Directory connection fails. The logged information is available only to authenticated users. Customers with auto-upgrade enabled should already be on a fixed version while customers using on-prem connectors with auto-upgrade disabled are advised to upgrade to a fixed version. | |||||
CVE-2021-20178 | 2 Fedoraproject, Redhat | 3 Fedora, Ansible, Ansible Tower | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality. |