The CVEProject/cve-services is an open source project used to operate the CVE services api. In versions up to and including 1.1.1 the org.conroller.js code would erroneously log user secrets. This has been resolved in commit 46d98f2b and should be available in subsequent versions of the software. Users of the software are advised to manually apply the 46d98f2b commit or to update when a new version becomes available. As a workaround users should inspect their logs and remove logged secrets as appropriate.
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Cve-services | Cve | * | 1.1.1 (including) |
While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. Different log files may be produced and stored for: