Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-41129

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-22 Jul, 2024 | 14:20
Updated At-02 Aug, 2024 | 04:46
Rejected At-
Credits

The ops library leaks secrets if `subprocess.CalledProcessError` happens with a `secret-*` CLI command

The ops library is a Python framework for developing and testing Kubernetes and machine charms. The issue here is that ops passes the secret content as one of the args via CLI. This issue may affect any of the charms that are using: Juju (>=3.0), Juju secrets and not correctly capturing and processing `subprocess.CalledProcessError`. This vulnerability is fixed in 2.15.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:22 Jul, 2024 | 14:20
Updated At:02 Aug, 2024 | 04:46
Rejected At:
▼CVE Numbering Authority (CNA)
The ops library leaks secrets if `subprocess.CalledProcessError` happens with a `secret-*` CLI command

The ops library is a Python framework for developing and testing Kubernetes and machine charms. The issue here is that ops passes the secret content as one of the args via CLI. This issue may affect any of the charms that are using: Juju (>=3.0), Juju secrets and not correctly capturing and processing `subprocess.CalledProcessError`. This vulnerability is fixed in 2.15.0.

Affected Products
Vendor
Canonical Ltd.canonical
Product
operator
Versions
Affected
  • >= 2.0.0, < 2.15.0
Problem Types
TypeCWE IDDescription
CWECWE-532CWE-532: Insertion of Sensitive Information into Log File
Type: CWE
CWE ID: CWE-532
Description: CWE-532: Insertion of Sensitive Information into Log File
Metrics
VersionBase scoreBase severityVector
3.14.4MEDIUM
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 4.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm
x_refsource_CONFIRM
https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61
x_refsource_MISC
Hyperlink: https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm
x_refsource_CONFIRM
x_transferred
https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:22 Jul, 2024 | 15:15
Updated At:24 Jul, 2024 | 12:55

The ops library is a Python framework for developing and testing Kubernetes and machine charms. The issue here is that ops passes the secret content as one of the args via CLI. This issue may affect any of the charms that are using: Juju (>=3.0), Juju secrets and not correctly capturing and processing `subprocess.CalledProcessError`. This vulnerability is fixed in 2.15.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.4MEDIUM
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 4.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-532Secondarysecurity-advisories@github.com
CWE ID: CWE-532
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61security-advisories@github.com
N/A
https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgmsecurity-advisories@github.com
N/A
Hyperlink: https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

65Records found
CVE-2025-23413
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-6.7||MEDIUM
EPSS-0.04% / 10.86%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 17:31
Updated-12 Feb, 2025 | 19:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BIG-IP Next Central Manager vulnerability

When users log in through the webUI or API using local authentication, BIG-IP Next Central Manager may log sensitive information in the pgaudit log files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Action-Not Available
Vendor-F5, Inc.
Product-BIG-IP Next Central Manager
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2021-21558
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-8.2||HIGH
EPSS-0.06% / 18.90%
||
7 Day CHG~0.00%
Published-08 Jun, 2021 | 18:05
Updated-16 Sep, 2024 | 21:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell EMC NetWorker, 18.x, 19.1.x, 19.2.x 19.3.x, 19.4 and 19.4.0.1, contains an Information Disclosure vulnerability. A local administrator of the gstd system may potentially exploit this vulnerability to read LDAP credentials from local logs and use the stolen credentials to make changes to the network domain.

Action-Not Available
Vendor-Dell Inc.
Product-emc_networkerNetWorker
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2021-0148
Matching Score-4
Assigner-Intel Corporation
ShareView Details
Matching Score-4
Assigner-Intel Corporation
CVSS Score-4.4||MEDIUM
EPSS-0.12% / 32.37%
||
7 Day CHG~0.00%
Published-17 Nov, 2021 | 19:23
Updated-03 Aug, 2024 | 15:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insertion of information into log file in firmware for some Intel(R) SSD DC may allow a privileged user to potentially enable information disclosure via local access.

Action-Not Available
Vendor-n/aIntel Corporation
Product-ssd_dc_p4510_u.2_firmwaressd_dc_p4618_firmwaressd_d5-p4420_firmwaressd_dc_p4500ssd_dc_p4618ssd_dc_d4512_firmwaressd_dc_p4501_firmwaressd_dc_p4511_m.2ssd_dc_p4511_m.2_firmwaressd_d-s4510_firmwaressd_d5-p4326ssd_dc_p4608_firmwaressd_dc_p4600_firmwaressd_d7-p5500_firmwaressd_dc_p4610_u.2_firmwaressd_d7-p5500ssd_dc_p4511_edsff_firmwaressd_dc_p4610_u.2ssd_d5-p4420ssd_d5-p4326_firmwaressd_d7-p5608ssd_dc_p4608ssd_d5-p4320_firmwaressd_d7-p5608_firmwaressd_dc_p4500_firmwaressd_dc_p4501ssd_d7-p5600_firmwaressd_dc_d4512ssd_dc_p4510_edsff_firmwaressd_dc_p4600ssd_d7-p5600ssd_d5-p4320ssd_dc_p4510_edsffssd_d-s4510ssd_dc_p4511_edsffssd_dc_p4510_u.2Intel(R) SSD DC
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2023-21492
Matching Score-4
Assigner-Samsung Mobile
ShareView Details
Matching Score-4
Assigner-Samsung Mobile
CVSS Score-4.4||MEDIUM
EPSS-0.49% / 64.70%
||
7 Day CHG~0.00%
Published-04 May, 2023 | 00:00
Updated-30 Jul, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2023-06-09||Apply updates per vendor instructions.

Kernel pointers are printed in the log file prior to SMR May-2023 Release 1 allows a privileged local attacker to bypass ASLR.

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-androidSamsung Mobile DevicesMobile Devices
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2020-0476
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-4.4||MEDIUM
EPSS-0.02% / 2.93%
||
7 Day CHG~0.00%
Published-15 Dec, 2020 | 15:54
Updated-04 Aug, 2024 | 06:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In onNotificationRemoved of Assistant.java, there is a possible leak of sensitive information to logs. This could lead to local information disclosure with System execution privileges required. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-162014574

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2023-40425
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-4.4||MEDIUM
EPSS-0.06% / 19.88%
||
7 Day CHG~0.00%
Published-25 Oct, 2023 | 18:31
Updated-12 Jun, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sonoma 14, macOS Monterey 12.7.1. An app with root privileges may be able to access private information.

Action-Not Available
Vendor-Apple Inc.
Product-macosmacOS
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2023-39447
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-4.4||MEDIUM
EPSS-0.15% / 35.66%
||
7 Day CHG~0.00%
Published-10 Oct, 2023 | 12:32
Updated-18 Sep, 2024 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BIG-IP APM Guided Configuration vulnerability

When BIG-IP APM Guided Configurations are configured, undisclosed sensitive information may be logged in restnoded log.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Action-Not Available
Vendor-F5, Inc.
Product-big-ip_access_policy_managerbig-ip_guided_configurationBIG-IP
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2019-6648
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-4.4||MEDIUM
EPSS-0.11% / 29.85%
||
7 Day CHG~0.00%
Published-04 Sep, 2019 | 15:49
Updated-04 Aug, 2024 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On version 1.9.0, If DEBUG logging is enable, F5 Container Ingress Service (CIS) for Kubernetes and Red Hat OpenShift (k8s-bigip-ctlr) log files may contain BIG-IP secrets such as SSL Private Keys and Private key Passphrases as provided as inputs by an AS3 Declaration.

Action-Not Available
Vendor-n/aRed Hat, Inc.F5, Inc.
Product-container_ingress_serviceopenshiftF5 Container Ingress Service
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2023-36494
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-4.4||MEDIUM
EPSS-0.08% / 24.04%
||
7 Day CHG~0.00%
Published-02 Aug, 2023 | 15:54
Updated-15 Apr, 2025 | 14:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
F5OS-A vulnerability

Audit logs on F5OS-A may contain undisclosed sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Action-Not Available
Vendor-F5, Inc.
Product-f5os-aF5OS - Appliance
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2023-31417
Matching Score-4
Assigner-Elastic
ShareView Details
Matching Score-4
Assigner-Elastic
CVSS Score-4.1||MEDIUM
EPSS-0.04% / 11.67%
||
7 Day CHG~0.00%
Published-26 Oct, 2023 | 17:47
Updated-13 Feb, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Elasticsearch Insertion of sensitive information in audit logs

Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. It was found that this filtering was not applied when requests to Elasticsearch use certain deprecated URIs for APIs. The impact of this flaw is that sensitive information such as passwords and tokens might be printed in cleartext in Elasticsearch audit logs. Note that audit logging is disabled by default and needs to be explicitly enabled and even when audit logging is enabled, request bodies that could contain sensitive information are not printed to the audit log unless explicitly configured.

Action-Not Available
Vendor-Elasticsearch BV
Product-elasticsearchElasticsearch
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2023-31207
Matching Score-4
Assigner-Checkmk GmbH
ShareView Details
Matching Score-4
Assigner-Checkmk GmbH
CVSS Score-4.4||MEDIUM
EPSS-0.04% / 12.06%
||
7 Day CHG~0.00%
Published-02 May, 2023 | 08:52
Updated-30 Jan, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Automation user secret logged to Apache access log

Transmission of credentials within query parameters in Checkmk <= 2.1.0p26, <= 2.0.0p35, and <= 2.2.0b6 (beta) may cause the automation user's secret to be written to the site Apache access log.

Action-Not Available
Vendor-tribe29 GmbHCheckmk GmbH
Product-checkmkCheckmk
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2021-39715
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-4.4||MEDIUM
EPSS-0.02% / 2.93%
||
7 Day CHG~0.00%
Published-16 Mar, 2022 | 14:03
Updated-04 Aug, 2024 | 02:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In __show_regs of process.c, there is a possible leak of kernel memory and addresses due to log information disclosure. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-178379135References: Upstream kernel

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2021-3036
Matching Score-4
Assigner-Palo Alto Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Palo Alto Networks, Inc.
CVSS Score-4.4||MEDIUM
EPSS-0.13% / 32.90%
||
7 Day CHG~0.00%
Published-20 Apr, 2021 | 03:15
Updated-17 Sep, 2024 | 04:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PAN-OS: Administrator secrets are logged in web server logs when using the PAN-OS XML API incorrectly

An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to use the PAN-OS XML API and exists only when a client includes a duplicate API parameter in API requests. Logged information includes the cleartext username, password, and API key of the administrator making the PAN-OS XML API request.

Action-Not Available
Vendor-Palo Alto Networks, Inc.
Product-pan-osPAN-OS
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2021-22310
Matching Score-4
Assigner-Huawei Technologies
ShareView Details
Matching Score-4
Assigner-Huawei Technologies
CVSS Score-4.4||MEDIUM
EPSS-0.03% / 5.80%
||
7 Day CHG~0.00%
Published-22 Mar, 2021 | 18:38
Updated-03 Aug, 2024 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

There is an information leakage vulnerability in some huawei products. Due to the properly storage of specific information in the log file, the attacker can obtain the information when a user logs in to the device. Successful exploit may cause an information leak. Affected product versions include: NIP6300 versions V500R001C00,V500R001C20,V500R001C30;NIP6600 versions V500R001C00,V500R001C20,V500R001C30;Secospace USG6300 versions V500R001C00,V500R001C20,V500R001C30;Secospace USG6500 versions V500R001C00,V500R001C20,V500R001C30;Secospace USG6600 versions V500R001C00,V500R001C20,V500R001C30,V500R001C50,V500R001C60,V500R001C80;USG9500 versions V500R005C00,V500R005C10.

Action-Not Available
Vendor-n/aHuawei Technologies Co., Ltd.
Product-nip6600secospace_usg6500_firmwarenip6300secospace_usg6500usg9500_firmwaresecospace_usg6600_firmwaresecospace_usg6300nip6600_firmwarenip6300_firmwareusg9500secospace_usg6600secospace_usg6300_firmwareNIP6300;NIP6600;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG9500
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2021-0549
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-4.4||MEDIUM
EPSS-0.02% / 2.26%
||
7 Day CHG~0.00%
Published-22 Jun, 2021 | 11:12
Updated-03 Aug, 2024 | 15:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In sspRequestCallback of BondStateMachine.java, there is a possible leak of Bluetooth MAC addresses due to log information disclosure. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-183961896

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
  • Previous
  • 1
  • 2
  • Next
Details not found