Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CWE-532 (通过日志文件的信息暴露) — Vulnerability Class 615

615 vulnerabilities classified as CWE-532 (通过日志文件的信息暴露). AI Chinese analysis included.

CWE-532 represents a critical information disclosure weakness where software inadvertently records sensitive data, such as passwords, credit card numbers, or personal identifiers, into log files. This vulnerability is typically exploited by attackers who gain access to these logs through insufficient file permissions, insecure storage practices, or compromised administrative accounts. Once accessed, the exposed data can be harvested for identity theft, financial fraud, or further system intrusion. To prevent this, developers must implement strict data sanitization protocols, ensuring that sensitive fields are masked or excluded before logging. Additionally, employing robust access controls and encryption for log storage, alongside regular audits of logging configurations, helps mitigate the risk of accidental exposure. By treating log files as potential repositories of confidential information, organizations can significantly reduce their attack surface and maintain compliance with data protection standards.

MITRE CWE Description
The product writes sensitive information to a log file.
Common Consequences (1)
ConfidentialityRead Application Data
Logging sensitive user data, full path names, or system information often provides attackers with an additional, less-protected path to acquiring the information.
Mitigations (4)
Architecture and Design, ImplementationConsider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
DistributionRemove debug log files before deploying the application into production.
OperationProtect log files against unauthorized read/write.
ImplementationAdjust configurations appropriately when software is transitioned from a debug state to production.
Examples (2)
In the following code snippet, a user's full name and credit card number are written to a log file.
logger.info("Username: " + usernme + ", CCN: " + ccn);
Bad · Java
This code stores location information about the current user:
locationClient = new LocationClient(this, this, this); locationClient.connect(); currentUser.setLocation(locationClient.getLastLocation()); ... catch (Exception e) { AlertDialog.Builder builder = new AlertDialog.Builder(this); builder.setMessage("Sorry, this application has experienced an error."); AlertDialog alert = builder.create(); alert.show(); Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString()); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2020-1623 Junos OS Evolved: ev.ops file may leak sensitive information — Junos OS Evolved 5.5 Medium2020-04-08
CVE-2020-5262 GitHub personal access token leaking into temporary EasyBuild (debug) logs — easybuild-framework 7.7 High2020-03-19
CVE-2019-18576 Dell EMC XtremIO XMS 日志信息泄露漏洞 — XtremIO 6.7 -2020-03-13
CVE-2019-19756 Lenovo XClarity Administrator 日志信息泄露漏洞 — XClarity Administrator (LXCA) 7.9 High2020-03-13
CVE-2018-20105 yast2-rmt exposes CA private key passhrase in log-file — SUSE Linux Enterprise Server 15 4.0 Medium2020-01-27
CVE-2020-5225 Log injection in SimpleSAMLphp — SimpleSAMLphp 4.4 Medium2020-01-24
CVE-2019-14885 Red Hat JBoss Enterprise Application Platform 日志信息泄露漏洞 — JBoss EAP 6.5 -2020-01-23
CVE-2019-18244 OSIsoft PI Vision 日志信息泄露漏洞 — OSIsoft PI System multiple products and versions 4.7 -2020-01-15
CVE-2019-11292 Pivotal Ops Manager logs query parameters in tomcat access file — Pivotal Ops Manager 6.5 -2020-01-08
CVE-2019-11293 UAA logs all query parameters with debug logging level — UAA Release 6.5 -2019-12-06
CVE-2019-10195 Red Hat FreeIPA 日志信息泄露漏洞 — IPA 8.1 -2019-11-27
CVE-2019-11290 Cloud Foundry UAA logs query parameters in tomcat access file — UAA Release 7.5 -2019-11-25
CVE-2019-11283 Password leak in smbdriver logs — SMB Volume 8.8 -2019-10-23
CVE-2019-10212 Red Hat Undertow 日志信息泄露漏洞 — undertow 9.8 -2019-10-02
CVE-2019-3763 Dell RSA Identity Governance and Lifecycle和RSA Via Lifecycle and Governance 日志信息泄露漏洞 — RSA Identity Governance and Lifecycle 8.8 High2019-09-11
CVE-2019-11250 Kubernetes client-go logs authorization headers at debug verbosity levels — Kubernetes 6.5 -2019-08-29
CVE-2019-5634 Hickory Smart Lock Insecure Logging on Android — Hickory Smart 4.3 -2019-08-22
CVE-2019-13515 OSIsoft PI Web API 日志信息泄露漏洞 — OSIsoft PI Web API 6.5 -2019-08-15
CVE-2019-1961 Cisco Enterprise NFV Infrastructure Software Web Portal Arbitrary File Read Vulnerability — Cisco Enterprise NFV Infrastructure Software 4.9 -2019-08-08
CVE-2019-1953 Cisco Enterprise NFV Infrastructure Software Password Recovery Vulnerability — Cisco Enterprise NFV Infrastructure Software 6.5 -2019-08-08
CVE-2019-10165 Red Hat OpenShift Container Platform 日志信息泄露漏洞 — openshift 7.1 -2019-07-30
CVE-2019-11273 PKS Telemetry logs credentials — Pivotal Container Service (PKS) 4.3 -2019-07-23
CVE-2019-10194 oVirt Metrics 日志信息泄露漏洞 — ovirt-engine-metrics 5.5 -2019-07-11
CVE-2019-11271 Bosh Deployment logs leak sensitive information — BOSH 7.1 -2019-06-18
CVE-2019-3888 Red Hat Undertow 日志信息泄露漏洞 — undertow 9.8 -2019-06-12
CVE-2019-3891 Red Hat Satellite Candlepin组件日志信息泄露漏洞 — candlepin 7.8 -2019-04-12
CVE-2019-3830 OpenStack Octavia 日志信息泄露漏洞 — openstack-ceilometer 5.5 -2019-03-26
CVE-2018-16856 Red Hat OpenStack Platform 日志信息泄露漏洞 — openstack-octavia 6.2 -2019-03-26
CVE-2018-19014 多款Drager产品安全漏洞 — Dräger Infinity Delta 6.5 -2019-01-28
CVE-2018-16889 debug 日志信息泄露漏洞 — ceph 7.5 -2019-01-28

Vulnerabilities classified as CWE-532 (通过日志文件的信息暴露) represent 615 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.