GHSA-XFRJ-6VVC-3XM2 Apache Santuario - XML Security for Java are vulnerable to private key disclosure

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to...

DEBIAN-CVE-2023-44483

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to...

Endpoint v8.10.4 Security Update

Elastic Endpoint Insertion of Sensitive Information into Log File ESA-2023-21 If Elastic Endpoint v7.9.0 - v8.10.3 is configured to use a non-default option in which the logging level is explicitly set to debug, and when Elastic Agent is simultaneously configured to collect and send those logs to...

PT-2023-6653 · Elastic · Agent +2

Name of the Vulnerable Software and Affected Versions: Elastic Endpoint versions 7.9.0 through 8.10.3 Description: The issue is related to insufficient protection of registration data in Elastic Endpoint, which can allow a remote attacker to disclose protected information. When Elastic Endpoint i...

zeek -- potential DoS vulnerabilities

Tim Wojtulewicz of Corelight reports: File extraction limits were not correctly enforced for files containing large amounts of missing bytes. Sessions are sometimes not cleaned up completely within Zeek during shutdown, potentially causing a crash when using the -B dpd flag for debug logging. A...

Denial Of Service (DoS)

libbind9.so is vulnerable to Denial Of Service DoS. The vulnerability exists when debug logging is turned on, due to assertion errors in renderecs which allows an attacker to cause an application crash...

Format string

CometBFT is a Byzantine Fault Tolerant BFT middleware that takes a state transition machine and replicates it on many machines. An internal modification made in versions 0.34.28 and 0.37.1 to the way struct PeerState is serialized to JSON introduced a deadlock when new function MarshallJSON is...

CVE-2023-31413

Filebeat versions through 7.17.9 and 8.6.2 have a flaw in httpjson input that allows the http request Authorization or Proxy-Authorization header contents to be leaked in the logs when debug logging is enabled...

Authorization

Filebeat versions through 7.17.9 and 8.6.2 have a flaw in httpjson input that allows the http request Authorization or Proxy-Authorization header contents to be leaked in the logs when debug logging is enabled...

CVE-2023-31413

Filebeat versions through 7.17.9 and 8.6.2 have a flaw in httpjson input that allows the http request Authorization or Proxy-Authorization header contents to be leaked in the logs when debug logging is enabled...

GHSA-G35X-J6JJ-8G7J @mittwald/kubernetes's secret contents leaked via debug logging

Impact When debug logging is enabled via DEBUG environment variable, the Kubernetes client may log all response bodies into the debug log -- including sensitive data from Secret resources. When running in a Kubernetes cluster, this might expose sensitive information to users who are not authorise...

@mittwald/kubernetes's secret contents leaked via debug logging

Impact When debug logging is enabled via DEBUG environment variable, the Kubernetes client may log all response bodies into the debug log -- including sensitive data from Secret resources. When running in a Kubernetes cluster, this might expose sensitive information to users who are not authorise...

PT-2023-9265 · Elastic +1 · Filebeat +1

Name of the Vulnerable Software and Affected Versions: Filebeat versions through 7.17.9 and 8.6.2 Description: The issue is related to a flaw in the httpjson input of Filebeat, which allows the contents of the http request Authorization or Proxy-Authorization header to be leaked in the logs when...

PT-2023-33015 · Unknown · Kubernetes Client

Name of the Vulnerable Software and Affected Versions: Kubernetes client versions prior to 3.5.0 Description: The issue allows sensitive data from Secret resources to be logged into the debug log when debug logging is enabled via the DEBUG environment variable. This could expose sensitive...

PT-2023-22270 · Lightbend · Alpakka Kafka

Name of the Vulnerable Software and Affected Versions: Lightbend Alpakka Kafka versions prior to 5.0.0 Description: The issue allows log files to contain credentials if plain cleartext login is configured, as the configuration is logged as debug information. This occurs in the...

Logs AWS credentials when TRACE-level logging is enabled

aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The awssigv4::SigningParams struct had a derived Debug implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is...

Terminalfour Information Disclosure Vulnerability

Terminalfour is a digital marketing and web content management platform for higher education from Terminalfour, Inc. Terminalfour suffers from an information disclosure vulnerability that stems from insufficient protection of sensitive information when debug logging is enabled. An attacker could...

CVE-2023-23591

The Logback component in Terminalfour before 8.3.14.1 allows OS administrators to obtain sensitive information from application server logs when debug logging is enabled. The fixed versions are 8.2.18.7, 8.2.18.2.2, 8.3.11.1, and 8.3.14.1...

Design/Logic Flaw

The Logback component in Terminalfour before 8.3.14.1 allows OS administrators to obtain sensitive information from application server logs when debug logging is enabled. The fixed versions are 8.2.18.7, 8.2.18.2.2, 8.3.11.1, and 8.3.14.1...

PT-2023-19064 · Unknown +1 · Terminalfour +1

Name of the Vulnerable Software and Affected Versions: Terminalfour versions prior to 8.2.18.7 Terminalfour versions prior to 8.2.18.2.2 Terminalfour versions prior to 8.3.11.1 Terminalfour versions prior to 8.3.14.1 Description: The Logback component in Terminalfour allows OS administrators to...