# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2023-22733 |
532 |
|
|
2023-01-17 |
2023-01-25 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions the log module would write out all kind of sent mails. An attacker with access to either the local system logs or a centralized logging store may have access to other users accounts. This issue has been addressed in version 6.4.18.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. Users unable to upgrade may remove from all users the log module ACL rights or disable logging. |
2 |
CVE-2022-44745 |
532 |
|
+Info |
2022-11-07 |
2022-11-08 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Sensitive information leak through log files. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40107. |
3 |
CVE-2022-44624 |
532 |
|
|
2022-11-03 |
2022-11-03 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
In JetBrains TeamCity version before 2022.10, Password parameters could be exposed in the build log if they contained special characters |
4 |
CVE-2022-43887 |
532 |
|
Bypass |
2022-12-19 |
2022-12-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could be vulnerable to sensitive information exposure by passing API keys to log files. If these keys contain sensitive information, it could lead to further attacks. IBM X-Force ID: 240450. |
5 |
CVE-2022-43673 |
532 |
|
|
2022-11-18 |
2022-11-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb database. |
6 |
CVE-2022-41618 |
532 |
|
|
2022-11-18 |
2022-11-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Unauthenticated Error Log Disclosure vulnerability in Media Library Assistant plugin <= 3.00 on WordPress. |
7 |
CVE-2022-41553 |
532 |
|
|
2022-11-01 |
2023-01-17 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Insertion of Sensitive Information into Temporary File vulnerability in Hitachi Infrastructure Analytics Advisor on Linux (Analytics probe component), Hitachi Ops Center Analyzer on Linux (Hitachi Ops Center Analyzer probe component) allows local users to gain sensitive information. This issue affects Hitachi Infrastructure Analytics Advisor: from 2.0.0-00 through 4.4.0-00; Hitachi Ops Center Analyzer: from 10.0.0-00 before 10.9.0-00. |
8 |
CVE-2022-40979 |
532 |
|
|
2022-09-23 |
2022-09-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
In JetBrains TeamCity before 2022.04.4 environmental variables of "password" type could be logged when using custom Perforce executable |
9 |
CVE-2022-39897 |
532 |
|
|
2022-12-08 |
2022-12-09 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Exposure of Sensitive Information vulnerability in kernel prior to SMR Dec-2022 Release 1 allows attackers to access the kernel address information via log. |
10 |
CVE-2022-39893 |
532 |
|
|
2022-11-09 |
2022-11-10 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Sensitive information exposure vulnerability in FmmBaseModel in Galaxy Buds Pro Manage prior to version 4.1.22092751 allows local attackers with log access permission to get device identifier data through device log. |
11 |
CVE-2022-39876 |
532 |
|
|
2022-10-07 |
2022-10-11 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Insertion of Sensitive Information into Log in PushRegIdUpdateClient of SReminder prior to 8.2.01.13 allows attacker to access device IMEI. |
12 |
CVE-2022-39874 |
532 |
|
+Info |
2022-10-07 |
2022-10-11 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Sensitive log information leakage vulnerability in Samsung Account prior to version 13.5.0 allows attackers to unauthorized logout. |
13 |
CVE-2022-39821 |
532 |
|
|
2022-09-13 |
2022-10-01 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
In NOKIA 1350 OMS R14.2, an Insertion of Sensitive Information into an Application Log File vulnerability occurs. The web application stores critical information, such as cleartext user credentials, in world-readable files in the filesystem. |
14 |
CVE-2022-39046 |
532 |
|
|
2022-08-31 |
2022-12-08 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
An issue was discovered in the GNU C Library (glibc) 2.36. When the syslog function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap. |
15 |
CVE-2022-38756 |
532 |
|
|
2022-12-16 |
2022-12-22 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
A vulnerability has been identified in Micro Focus GroupWise Web in versions prior to 18.4.2. The GW Web component makes a request to the Post Office Agent that contains sensitive information in the query parameters that could be logged by any intervening HTTP proxies. |
16 |
CVE-2022-38149 |
532 |
|
|
2022-08-17 |
2022-09-01 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
HashiCorp Consul Template up to 0.27.2, 0.28.2, and 0.29.1 may expose the contents of Vault secrets in the error returned by the *template.Template.Execute method, when given a template using Vault secret contents incorrectly. Fixed in 0.27.3, 0.28.3, and 0.29.2. |
17 |
CVE-2022-38133 |
532 |
|
|
2022-08-10 |
2022-08-12 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
In JetBrains TeamCity before 2022.04.3 the private SSH key could be written to the server log in some cases |
18 |
CVE-2022-36877 |
532 |
|
|
2022-09-09 |
2022-09-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Exposure of Sensitive Information in FaqSymptomCardViewModel in Samsung Members prior to versions 4.3.00.11 in Global and 14.0.02.4 in China allows local attackers to access device identification via log. |
19 |
CVE-2022-36321 |
532 |
|
|
2022-07-20 |
2022-07-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
In JetBrains TeamCity before 2022.04.2 the private SSH key could be written to the build log in some cases |
20 |
CVE-2022-35719 |
532 |
|
|
2022-11-14 |
2022-11-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
IBM MQ Internet Pass-Thru 2.1, 9.2 LTS and 9.2 CD stores potentially sensitive information in trace files that could be read by a local user. |
21 |
CVE-2022-34369 |
532 |
|
|
2022-09-02 |
2022-09-08 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.20, 9.2.1.13, 9.3.0.6, and 9.4.0.3 , contain an insertion of sensitive information in log files vulnerability. A remote unprivileged attacker could potentially exploit this vulnerability, leading to exposure of this sensitive data. |
22 |
CVE-2022-33911 |
532 |
|
+Info |
2022-07-12 |
2022-07-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in Couchbase Server 7.x before 7.0.4. Field names are not redacted in logged validation messages for Analytics Service. An Unauthorized Actor may be able to obtain Sensitive Information. |
23 |
CVE-2022-33878 |
532 |
|
+Info |
2022-11-02 |
2022-11-04 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
An exposure of sensitive information to an unauthorized actor vulnerabiltiy [CWE-200] in FortiClient for Mac versions 7.0.0 through 7.0.5 may allow a local authenticated attacker to obtain the SSL-VPN password in cleartext via running a logstream for the FortiTray process in the terminal. |
24 |
CVE-2022-33737 |
532 |
|
|
2022-07-06 |
2022-07-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The OpenVPN Access Server installer creates a log file readable for everyone, which from version 2.10.0 and before 2.11.0 may contain a random generated admin password |
25 |
CVE-2022-33697 |
532 |
|
|
2022-07-12 |
2022-07-16 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
Sensitive information exposure vulnerability in ImsServiceSwitchBase in ImsCore prior to SMR Jul-2022 Release 1 allows local attackers with log access permission to get IMSI through device log. |
26 |
CVE-2022-33693 |
532 |
|
|
2022-07-12 |
2022-07-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
Exposure of Sensitive Information in CID Manager prior to SMR Jul-2022 Release 1 allows local attacker to access iccid via log. |
27 |
CVE-2022-33688 |
532 |
|
|
2022-07-12 |
2022-07-16 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
Sensitive information exposure vulnerability in EventType in SecTelephonyProvider prior to SMR Jul-2022 Release 1 allows local attackers with log access permission to get IMSI through device log. |
28 |
CVE-2022-33687 |
532 |
|
|
2022-07-12 |
2022-07-16 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
Exposure of Sensitive Information in telephony-common.jar prior to SMR Jul-2022 Release 1 allows local attackers to access IMSI via log. |
29 |
CVE-2022-33187 |
532 |
|
|
2022-12-09 |
2022-12-12 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Brocade SANnav before v2.2.1 logs usernames and encoded passwords in debug-enabled logs. The vulnerability could allow an attacker with admin privilege to read sensitive information. |
30 |
CVE-2022-32565 |
532 |
|
|
2022-06-13 |
2022-06-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in Couchbase Server before 7.0.4. The Backup Service log leaks unredacted usernames and document ids. |
31 |
CVE-2022-32556 |
532 |
|
|
2022-07-21 |
2022-07-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
An issue was discovered in Couchbase Server before 7.0.4. A private key is leaked to the log files with certain crashes. |
32 |
CVE-2022-32254 |
532 |
|
|
2022-06-14 |
2022-06-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). A customized HTTP POST request could force the application to write the status of a given user to a log file, exposing sensitive user information that could provide valuable guidance to an attacker. |
33 |
CVE-2022-32217 |
532 |
|
+Info |
2022-09-23 |
2022-09-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
A cleartext storage of sensitive information exists in Rocket.Chat <v4.6.4 due to Oauth token being leaked in plaintext in Rocket.chat logs. |
34 |
CVE-2022-32193 |
532 |
|
|
2022-06-13 |
2022-06-22 |
3.5 |
None |
Remote |
Medium |
??? |
Partial |
None |
None |
Couchbase Server 6.6.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor. |
35 |
CVE-2022-31674 |
532 |
|
|
2022-08-10 |
2022-08-15 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
VMware vRealize Operations contains an information disclosure vulnerability. A low-privileged malicious actor with network access can access log files that lead to information disclosure. |
36 |
CVE-2022-31239 |
532 |
|
|
2022-10-21 |
2022-10-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, and 9.3.0.6, contain sensitive data in log files vulnerability. A privileged local user may potentially exploit this vulnerability, leading to disclosure of this sensitive data. |
37 |
CVE-2022-31186 |
532 |
|
+Info |
2022-08-01 |
2022-08-09 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
NextAuth.js is a complete open source authentication solution for Next.js applications. An information disclosure vulnerability in `next-auth` before `v4.10.2` and `v3.29.9` allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log (which is thrown during OAuth error handling) and use it to leverage further attacks on the system, like impersonating the client to ask for extensive permissions. This issue has been patched in `v4.10.2` and `v3.29.9` by moving the log for `provider` information to the debug level. In addition, we added a warning for having the `debug: true` option turned on in production. If for some reason you cannot upgrade, you can user the `logger` configuration option by sanitizing the logs. |
38 |
CVE-2022-31119 |
532 |
|
|
2022-08-04 |
2022-08-10 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions of Nextcloud mail would log user passwords to disk in the event of a misconfiguration. Should an attacker gain access to the logs complete access to affected accounts would be obtainable. It is recommended that the Nextcloud Mail is upgraded to 1.12.1. Operators should inspect their logs and remove passwords which have been logged. There are no workarounds to prevent logging in the event of a misconfiguration. |
39 |
CVE-2022-31098 |
532 |
|
|
2022-06-27 |
2022-07-11 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in the logging of Weave GitOps could allow an authenticated remote attacker to view sensitive cluster configurations, aka KubeConfg, of registered Kubernetes clusters, including the service account tokens in plain text from Weave GitOps's pod logs on the management cluster. An unauthorized remote attacker can also view these sensitive configurations from external log storage if enabled by the management cluster. This vulnerability is due to the client factory dumping cluster configurations and their service account tokens when the cluster manager tries to connect to an API server of a registered cluster, and a connection error occurs. An attacker could exploit this vulnerability by either accessing logs of a pod of Weave GitOps, or from external log storage and obtaining all cluster configurations of registered clusters. A successful exploit could allow the attacker to use those cluster configurations to manage the registered Kubernetes clusters. This vulnerability has been fixed by commit 567356f471353fb5c676c77f5abc2a04631d50ca. Users should upgrade to Weave GitOps core version v0.8.1-rc.6 or newer. There is no known workaround for this vulnerability. |
40 |
CVE-2022-31047 |
532 |
|
|
2022-06-14 |
2022-06-23 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, system internal credentials or keys (e.g. database credentials) can be logged as plaintext in exception handlers, when logging the complete exception stack trace. TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, 11.5.11 contain a fix for the problem. |
41 |
CVE-2022-30742 |
532 |
|
|
2022-06-07 |
2022-06-13 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
Sensitive information exposure vulnerability in FmmExtraOperation of Find My Mobile prior to 7.2.24.12 allows local attackers with log access permissio to get sim card information through device log. |
42 |
CVE-2022-30741 |
532 |
|
|
2022-06-07 |
2022-06-13 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
Sensitive information exposure vulnerability in SimChangeAlertManger of Find My Mobile prior to 7.2.24.12 allows local attackers with log access permission to get sim card information through device log. |
43 |
CVE-2022-30733 |
532 |
|
|
2022-06-07 |
2022-06-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Sensitive information exposure in Sign-in log in Samsung Account prior to version 13.2.00.6 allows attackers to get an user email or phone number without permission. |
44 |
CVE-2022-30148 |
532 |
|
|
2022-06-15 |
2022-06-27 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
Windows Desired State Configuration (DSC) Information Disclosure Vulnerability. |
45 |
CVE-2022-29928 |
532 |
|
|
2022-05-12 |
2022-05-23 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
In JetBrains TeamCity before 2022.04 leak of secrets in TeamCity agent logs was possible |
46 |
CVE-2022-29810 |
532 |
|
|
2022-04-27 |
2022-10-06 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter. |
47 |
CVE-2022-29550 |
532 |
|
|
2022-08-18 |
2022-09-15 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
** DISPUTED ** An issue was discovered in Qualys Cloud Agent 4.8.0-49. It writes "ps auxwwe" output to the /var/log/qualys/qualys-cloud-agent-scan.log file. This may, for example, unexpectedly write credentials (from environment variables) to disk in cleartext. NOTE: there are no common circumstances in which qualys-cloud-agent-scan.log can be read by a user other than root; however, the file contents could be exposed through site-specific operational practices. The vendor does NOT characterize this as a vulnerability because the ps data collection is intentional, and would only capture credentials on a machine that was already affected by the CWE-214 weakness. |
48 |
CVE-2022-28859 |
532 |
|
|
2022-05-05 |
2022-05-13 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
On F5 BIG-IP 15.1.x versions prior to 15.1.5.1 and 14.1.x versions prior to 14.1.4.6, when installing Net HSM, the scripts (nethsm-safenet-install.sh and nethsm-thales-install.sh) expose the Net HSM partition password. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated |
49 |
CVE-2022-28774 |
532 |
|
|
2022-05-11 |
2022-10-26 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
Under certain conditions, the SAP Host Agent logfile shows information which would otherwise be restricted. |
50 |
CVE-2022-28625 |
532 |
|
|
2022-08-31 |
2022-09-07 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
A local disclosure of sensitive information vulnerability was discovered in HPE OneView version(s): Prior to 7.0 or 6.60.01. A low privileged user could locally exploit this vulnerability to disclose sensitive information resulting in a complete loss of confidentiality, integrity, and availability. To exploit this vulnerability, HPE OneView must be configured with credential access to external repositories. HPE has provided a software update to resolve this vulnerability in HPE OneView. |