| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-17397 |
532 |
|
|
2019-10-15 |
2019-10-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In the DoorDash application through 11.5.2 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat. |
|
2 |
CVE-2019-16116 |
532 |
|
+Info |
2019-10-02 |
2019-10-10 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
EnterpriseDT CompleteFTP Server prior to version 12.1.3 is vulnerable to information exposure in the Bootstrap.log file. This allows an attacker to obtain the administrator password hash. |
|
3 |
CVE-2019-15508 |
532 |
|
|
2019-08-23 |
2019-08-27 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy is configured, an authenticated user (in certain limited OctopusPrintVariables circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 5.0.1. The fix was back-ported to 4.0.7. |
|
4 |
CVE-2019-15507 |
532 |
|
|
2019-08-23 |
2019-08-27 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited special-characters circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.7. The fix was back-ported to LTS 2019.6.7 as well as LTS 2019.3.8. |
|
5 |
CVE-2019-14268 |
532 |
|
|
2019-07-25 |
2019-08-02 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
In Octopus Deploy versions 3.0.19 to 2019.7.2, when a web request proxy is configured, an authenticated user (in certain limited circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.3. The fix was back-ported to LTS 2019.6.5 as well as LTS 2019.3.7. |
|
6 |
CVE-2019-13515 |
532 |
|
|
2019-08-15 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive information. |
|
7 |
CVE-2019-13509 |
532 |
|
|
2019-07-18 |
2019-08-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret. |
|
8 |
CVE-2019-13098 |
532 |
|
|
2019-07-22 |
2019-07-24 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The user password via the registration form of TronLink Wallet 2.2.0 is stored in the log when the class CreateWalletTwoActivity is called. Other authenticated users can read it in the log later. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications. |
|
9 |
CVE-2019-11492 |
532 |
|
|
2019-04-26 |
2019-04-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ProjectSend before r1070 writes user passwords to the server logs. |
|
10 |
CVE-2019-11336 |
532 |
|
Exec Code |
2019-05-14 |
2019-05-21 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Sony Bravia Smart TV devices allow remote attackers to retrieve the static Wi-Fi password (used when the TV is acting as an access point) by using the Photo Sharing Plus application to execute a backdoor API command, a different vulnerability than CVE-2019-10886. |
|
11 |
CVE-2019-10367 |
532 |
|
|
2019-08-07 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied. |
|
12 |
CVE-2019-10343 |
532 |
|
|
2019-07-31 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Jenkins Configuration as Code Plugin 1.24 and earlier did not properly apply masking to values expected to be hidden when logging the configuration being applied. |
|
13 |
CVE-2019-10212 |
532 |
|
|
2019-10-02 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files. |
|
14 |
CVE-2019-10194 |
532 |
|
|
2019-07-11 |
2019-08-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions. were found to be insufficiently protected. Passwords could be disclosed in log files (if playbooks are run with -v) or in playbooks stored on Metrics or Bastion hosts. |
|
15 |
CVE-2019-10159 |
532 |
|
|
2019-06-14 |
2019-08-13 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
cfme-gemset versions 5.10.4.3 and below, 5.9.9.3 and below are vulnerable to a data leak, due to an improper authorization in the migration log controller. An attacker with access to an unprivileged user can access all VM migration logs available. |
|
16 |
CVE-2019-9734 |
532 |
|
|
2019-04-24 |
2019-07-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Aquarius CMS through 4.3.5 writes POST and GET parameters (including passwords) to a log file due to an overwriting of configuration parameters under certain circumstances. |
|
17 |
CVE-2019-9724 |
532 |
|
|
2019-04-24 |
2019-04-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
aquaverde Aquarius CMS through 4.3.5 allows Information Exposure through Log Files because of an error in the Log-File writer component. |
|
18 |
CVE-2019-9277 |
532 |
|
|
2019-09-27 |
2019-10-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In the proc filesystem, there is a possible information disclosure due to log information disclosure. This could lead to local disclosure of app and browser activity with User execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-68016944 |
|
19 |
CVE-2019-6656 |
532 |
|
|
2019-09-25 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
BIG-IP APM Edge Client before version 7.1.8 (7180.2019.508.705) logs the full apm session ID in the log files. Vulnerable versions of the client are bundled with BIG-IP APM versions 15.0.0-15.0.1, 14,1.0-14.1.0.6, 14.0.0-14.0.0.4, 13.0.0-13.1.1.5, 12.1.0-12.1.5, and 11.5.1-11.6.5. In BIG-IP APM 13.1.0 and later, the APM Clients components can be updated independently from BIG-IP software. Client version 7.1.8 (7180.2019.508.705) and later has the fix. |
|
20 |
CVE-2019-6648 |
532 |
|
|
2019-09-04 |
2019-10-09 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
On version 1.9.0, If DEBUG logging is enable, F5 Container Ingress Service (CIS) for Kubernetes and Red Hat OpenShift (k8s-bigip-ctlr) log files may contain BIG-IP secrets such as SSL Private Keys and Private key Passphrases as provided as inputs by an AS3 Declaration. |
|
21 |
CVE-2019-6158 |
532 |
|
|
2019-05-03 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered HTTP proxy credentials being written to a log file in clear text. This only affects LXCA when HTTP proxy credentials have been configured. This affects LXCA versions 2.0.0 to 2.3.x. |
|
22 |
CVE-2019-6157 |
532 |
|
|
2019-04-22 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In various firmware versions of Lenovo System x, the integrated management module II (IMM2)'s first failure data capture (FFDC) includes the web server's private key in the generated log file for support. |
|
23 |
CVE-2019-5634 |
532 |
|
|
2019-08-22 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An inclusion of sensitive information in log files vulnerability is present in Hickory Smart for Android mobile devices from Belwith Products, LLC. Communications to the internet API services and direct connections to the lock via Bluetooth Low Energy (BLE) from the mobile application are logged in a debug log on the Android device at HickorySmartLog/Logs/SRDeviceLog.txt. This information was found stored in the Android device's default USB or SDcard storage paths and is accessible without rooting the device. This issue affects Hickory Smart for Android, version 01.01.43 and prior versions. |
|
24 |
CVE-2019-4299 |
532 |
|
+Info |
2019-07-01 |
2019-10-09 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
IBM Robotic Process Automation with Automation Anywhere 11 could allow a local user to obtain highly sensitive information from log files when debugging is enabled. IBM X-Force ID: 160765. |
|
25 |
CVE-2019-4284 |
532 |
|
|
2019-08-05 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Cloud Private 2.1.0 , 3.1.0, 3.1.1, and 3.1.2 could allow a local privileged user to obtain sensitive OIDC token that is printed to log files, which could be used to log in to the system as another user. IBM X-Force ID: 160512. |
|
26 |
CVE-2019-4225 |
532 |
|
|
2019-06-26 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM PureApplication System 2.2.3.0 through 2.2.5.3 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 159242. |
|
27 |
CVE-2019-4143 |
532 |
|
|
2019-04-08 |
2019-04-10 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The IBM Cloud Private Key Management Service (IBM Cloud Private 3.1.1 and 3.1.2) could allow a local user to obtain sensitive from the KMS plugin container log. IBM X-Force ID: 158348. |
|
28 |
CVE-2019-4039 |
532 |
|
DoS |
2019-05-23 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
IBM WebSphere MQ 8.0.0.0 through 8.0.0.9 and 9.0.0.0 through 9.1.1 could allow a local attacker to cause a denial of service within the error log reporting system. IBM X-Force ID: 156163. |
|
29 |
CVE-2019-4008 |
532 |
|
|
2019-02-07 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
API Connect V2018.1 through 2018.4.1.1 is impacted by access token leak. Authorization tokens in some URLs can result in the tokens being written to log files. IBM X-Force ID: 155626. |
|
30 |
CVE-2019-3891 |
532 |
|
|
2019-04-15 |
2019-05-14 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that a world-readable log file belonging to Candlepin component of Red Hat Satellite 6.4 leaked the credentials of the Candlepin database. A malicious user with local access to a Satellite host can use those credentials to modify the database and prevent Satellite from fetching package updates, thus preventing all Satellite hosts from accessing those updates. |
|
31 |
CVE-2019-3500 |
532 |
|
+Info |
2019-01-02 |
2019-05-06 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
aria2c in aria2 1.33.1, when --log is used, can store an HTTP Basic Authentication username and password in a file, which might allow local users to obtain sensitive information by reading this file. |
|
32 |
CVE-2019-1961 |
532 |
|
|
2019-08-08 |
2019-10-09 |
6.8 |
None |
Remote |
Low |
Single system |
Complete |
None |
None |
|
A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system (OS) of an affected device. The vulnerability is due to the improper input validation of tar packages uploaded through the Web Portal to the Image Repository. An attacker could exploit this vulnerability by uploading a crafted tar package and viewing the log entries that are generated. A successful exploit could allow the attacker to read arbitrary files on the underlying OS. |
|
33 |
CVE-2019-1953 |
532 |
|
|
2019-08-08 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
A vulnerability in the web portal of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to view a password in clear text. The vulnerability is due to incorrectly logging the admin password when a user is forced to modify the default password when logging in to the web portal for the first time. Subsequent password changes are not logged and other accounts are not affected. An attacker could exploit this vulnerability by viewing the admin clear text password and using it to access the affected system. The attacker would need a valid user account to exploit this vulnerability. |
|
34 |
CVE-2019-0380 |
532 |
|
|
2019-10-08 |
2019-10-15 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Under certain conditions, SAP Landscape Management enterprise edition, before version 3.0, allows custom secure parameters? default values to be part of the application logs leading to Information Disclosure. |
|
35 |
CVE-2019-0202 |
532 |
|
|
2019-07-25 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpoints. |
|
36 |
CVE-2019-0021 |
532 |
|
|
2019-01-15 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
On Juniper ATP, secret passphrase CLI inputs, such as "set mcm", are logged to /var/log/syslog in clear text, allowing authenticated local user to be able to view these secret information. This issue affects Juniper ATP 5.0 versions prior to 5.0.4. |
|
37 |
CVE-2018-1999036 |
532 |
|
|
2018-08-01 |
2019-10-02 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
An exposure of sensitive information vulnerability exists in Jenkins SSH Agent Plugin 1.15 and earlier in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log. |
|
38 |
CVE-2018-1000123 |
532 |
|
+Info |
2018-03-13 |
2018-04-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Ionic Team Cordova plugin iOS Keychain version before commit 18233ca25dfa92cca018b9c0935f43f78fd77fbf contains an Information Exposure Through Log Files (CWE-532) vulnerability in CDVKeychain.m that can result in login, password and other sensitive data leakage. This attack appear to be exploitable via Attacker must have access to victim's iOS logs. This vulnerability appears to have been fixed in after commit 18233ca25dfa92cca018b9c0935f43f78fd77fbf. |
|
39 |
CVE-2018-1000089 |
532 |
|
|
2018-03-13 |
2018-04-11 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app. This vulnerability appears to have been fixed in v1.4. |
|
40 |
CVE-2018-1000060 |
532 |
|
|
2018-02-09 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Sensu, Inc. Sensu Core version Before 1.2.0 & before commit 46ff10023e8cbf1b6978838f47c51b20b98fe30b contains a CWE-522 vulnerability in Sensu::Utilities.redact_sensitive() that can result in sensitive configuration data (e.g. passwords) may be logged in clear-text. This attack appear to be exploitable via victims with configuration matching a specific pattern will observe sensitive data outputted in their service log files. This vulnerability appears to have been fixed in 1.2.1 and later, after commit 46ff10023e8cbf1b6978838f47c51b20b98fe30b. |
|
41 |
CVE-2018-1000018 |
532 |
|
|
2018-01-24 |
2019-10-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An information disclosure in ovirt-hosted-engine-setup prior to 2.2.7 reveals the root user's password in the log file. |
|
42 |
CVE-2018-20956 |
532 |
|
|
2019-08-08 |
2019-08-16 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Swann SWWHD-INTCAM-HD devices leave the PSK in logs after a factory reset. |
|
43 |
CVE-2018-19865 |
532 |
|
|
2018-12-05 |
2019-05-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3. |
|
44 |
CVE-2018-19786 |
532 |
|
|
2018-12-05 |
2018-12-27 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
HashiCorp Vault before 1.0.0 writes the master key to the server log in certain unusual or misconfigured scenarios in which incorrect data comes from the autoseal mechanism without an error being reported. |
|
45 |
CVE-2018-19583 |
532 |
|
|
2019-07-10 |
2019-07-16 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
GitLab CE/EE, versions 8.0 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, would log access tokens in the Workhorse logs, permitting administrators with access to the logs to see another user's token. |
|
46 |
CVE-2018-19014 |
532 |
|
|
2019-01-28 |
2019-10-09 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
Drager Infinity Delta, Infinity Delta, all versions, Delta XL, all versions, Kappa, all version, and Infinity Explorer C700, all versions. Log files are accessible over an unauthenticated network connection. By accessing the log files, an attacker is able to gain insights about internals of the patient monitor, the location of the monitor, and wired network configuration. |
|
47 |
CVE-2018-17922 |
532 |
|
|
2018-11-02 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Circontrol CirCarLife all versions prior to 4.3.1, the PAP credentials of the device are stored in clear text in a log file that is accessible without authentication. |
|
48 |
CVE-2018-17447 |
532 |
|
|
2018-10-23 |
2018-12-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An Information Exposure Through Log Files issue was discovered in Citrix SD-WAN 10.1.0 and NetScaler SD-WAN 9.3.x before 9.3.6 and 10.0.x before 10.0.4. |
|
49 |
CVE-2018-16859 |
532 |
|
|
2018-11-29 |
2019-04-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable. |
|
50 |
CVE-2018-16856 |
532 |
|
|
2019-03-26 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In a default Red Hat Openstack Platform Director installation, openstack-octavia before versions openstack-octavia 2.0.2-5 and openstack-octavia-3.0.1-0.20181009115732 creates log files that are readable by all users. Sensitive information such as private keys can appear in these log files allowing for information exposure. |
