Skip to main content

Insertion of Sensitive Information into Log File


Severity Medium
Score 6.3/10


The is a networking, observability, and security solution with an eBPF-based dataplane. When run in debug mode, Cilium will log the contents of the "cilium-secrets" namespace. This could include data such as TLS private keys for Ingress and GatewayAPI resources. An attacker with access to debug output from the Cilium containers could use the resulting output to intercept and modify traffic to and from the affected cluster. The output of sensitive information would occur when the Cilium agent restarts, when secrets in the namespace are modified, and on the creation of Ingress or GatewayAPI resources. This vulnerability affects versions 1.7.0-rc3 through 1.11.15, 1.12.0-rc0 through 1.12.8, and 1.13.0-rc0 through 1.13.1 and 1.14.0-snapshot.0 through 1.14.0-snapshot.1.

  • HIGH
  • HIGH
  • NONE
  • LOW
  • HIGH
  • NONE

CWE-532 - Insertion of Sensitive Information into Log File

It's quite common for applications to save logs. For example, whenever a user requests a resource from a particular website, the web server writes information about the request to a log file. These files are helpful for identifying abnormal system activity, bugs, and evaluating the security controls of the application. Security of log files is critical for the overall security of the application and its confidential resources. An application that lacks appropriate logging levels can expose sensitive user data and system information stored on the log files to malicious users. This info can be exploited to compromise your system.

Advisory Timeline

  • Published