Gryph, Information Disclosure via Logging Levels, CVE-2024-XXXX (Medium)

Listen to this Post

How the mentioned CVE works:

Gryph uses logging levels (minimal, standard, full) to control what gets logged to a local SQLite database. The README falsely claims the default level is “minimal”, but source code reveals the default is actually “standard”. At the standard and full levels, sensitive file-write operations retain their content in three database fields: ContentPreview, OldString, and NewString. This happens because the logging mechanism does not properly filter or redact sensitive data from file operations. An attacker or malicious process that gains access to the SQLite database file (e.g., via backup, export, or system compromise) can read these fields. The stored payload includes the actual data written to files, violating Gryph’s own security contract that promises sensitive file filtering and minimal logging by default. The vulnerability is not remotely exploitable; it requires prior access to the local database. However, any user who assumed that default logging excludes sensitive content is misled. The issue was fixed in v0.7.0 by adjusting the default log level and sanitizing logged file content.

dailycve form:

Platform: Gryph
Version: < v0.7.0
Vulnerability: Sensitive data logging
Severity: Medium
date: 2024-08-15

Prediction: 2024-09-01

What Undercode Say:

Check current Gryph version
gryph --version
Locate SQLite database (default path)
find ~ -name ".db" -path "gryph" 2>/dev/null
Examine logged sensitive fields
sqlite3 gryph.db "SELECT ContentPreview, OldString, NewString FROM logs WHERE level='standard';"
Verify default log level in config
grep -i "log_level" ~/.gryph/config.yaml

Exploit:

No remote exploit exists. Local attacker with read access to the user’s home directory copies `gryph.db` and extracts file write contents using SQLite queries. Example: strings gryph.db | grep -E "ContentPreview|OldString|NewString".

Protection from this CVE:

Upgrade to Gryph v0.7.0 or later. If upgrade impossible, manually set log level to “minimal” in config and delete existing database: rm ~/.gryph/gryph.db. Use filesystem encryption to protect database at rest.

Impact:

Exposure of sensitive file contents (e.g., passwords, API keys, source code) written by coding agents. Only affects users whose local SQLite database is stolen or exported, but violates expected privacy guarantees.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top