Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Local attack vector with no privileges required, consistent with world-readable log files; high confidentiality only, no integrity or availability impact.
Primary rating from Vendor (HCL).
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure. The application stores potentially sensitive information in log files that could be read by a local user.
AnalysisAI
Sensitive information disclosure in HCL DevOps Deploy / HCL Launch exposes credentials or operational data stored in application log files to any local user who can read those files. Affected across four major release branches (7.3, 8.0, 8.1, and 8.2), the vulnerability stems from CWE-532, where the application writes sensitive material into logs without adequate sanitization or access restriction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Local access to the operating system hosting HCL DevOps Deploy / HCL Launch is required; remote exploitation is not possible given AV:L. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.2 with vector AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N correctly captures the local-only attack surface but flags a notable anomaly: PR:N (no privileges required) combined with AV:L implies the log files are world-readable by any authenticated OS user, not just privileged accounts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local OS user on the server hosting HCL DevOps Deploy - such as a developer, contractor, or compromised service account - reads application log files from the default log directory without requiring elevated privileges. The logs contain plaintext credentials, deployment tokens, or environment secrets written during pipeline execution, which the attacker then uses to pivot into downstream systems or cloud environments managed by the DevOps platform. … |
| Remediation | Consult the HCL vendor knowledge base article KB0131696 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131696 for official patch guidance; no exact fixed version number is confirmed in the available intelligence data, so the specific upgrade target must be verified directly with HCL. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Hcl Devops Deploy Hcl Launch
View allSensitive configuration data and credentials are exposed in API responses within HCL DevOps Deploy / HCL Launch, affecti
HCL DevOps Deploy and HCL Launch expose sensitive information in pipeline step output logs, enabling any low-privileged
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42547
GHSA-8r3w-82fq-gwgp