Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CWE-532 (通过日志文件的信息暴露) — Vulnerability Class 627

627 vulnerabilities classified as CWE-532 (通过日志文件的信息暴露). AI Chinese analysis included.

CWE-532 represents a critical information disclosure weakness where software inadvertently records sensitive data, such as passwords, credit card numbers, or personal identifiers, into log files. This vulnerability is typically exploited by attackers who gain access to these logs through insufficient file permissions, insecure storage practices, or compromised administrative accounts. Once accessed, the exposed data can be harvested for identity theft, financial fraud, or further system intrusion. To prevent this, developers must implement strict data sanitization protocols, ensuring that sensitive fields are masked or excluded before logging. Additionally, employing robust access controls and encryption for log storage, alongside regular audits of logging configurations, helps mitigate the risk of accidental exposure. By treating log files as potential repositories of confidential information, organizations can significantly reduce their attack surface and maintain compliance with data protection standards.

MITRE CWE Description
The product writes sensitive information to a log file.
Common Consequences (1)
ConfidentialityRead Application Data
Logging sensitive user data, full path names, or system information often provides attackers with an additional, less-protected path to acquiring the information.
Mitigations (4)
Architecture and Design, ImplementationConsider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
DistributionRemove debug log files before deploying the application into production.
OperationProtect log files against unauthorized read/write.
ImplementationAdjust configurations appropriately when software is transitioned from a debug state to production.
Examples (2)
In the following code snippet, a user's full name and credit card number are written to a log file.
logger.info("Username: " + usernme + ", CCN: " + ccn);
Bad · Java
This code stores location information about the current user:
locationClient = new LocationClient(this, this, this); locationClient.connect(); currentUser.setLocation(locationClient.getLastLocation()); ... catch (Exception e) { AlertDialog.Builder builder = new AlertDialog.Builder(this); builder.setMessage("Sorry, this application has experienced an error."); AlertDialog alert = builder.create(); alert.show(); Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString()); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-12292 Insertion of Sensitive Information into Log File in GitLab — GitLab 4.0 Medium2024-12-12
CVE-2024-42407 Gallagher Command Centre Server 安全漏洞 — Command Centre Server 8.5 High2024-12-12
CVE-2024-12057 User credentials recorded in log files — PcVue 8.1 -2024-12-09
CVE-2024-42196 HCL Launch is susceptible to Insertion of Sensitive Information into Log File vulnerability — Launch 6.2 Medium2024-12-06
CVE-2024-47094 Logging of sitesecret to automations log — Checkmk 7.5 -2024-11-29
CVE-2024-52067 Apache NiFi: Potential Insertion of Sensitive Parameter Values in Debug Log — Apache NiFi 4.9AIMediumAI2024-11-21
CVE-2022-43937 Brocade SANnav Information Disclosure Vulnerability — SANnav 5.7 Medium2024-11-21
CVE-2022-43936 Brocade Fabric OS switch passwords when debugging is enabled — SANnav 6.8 Medium2024-11-21
CVE-2022-43935 Switch passwords and authorization IDs are printed in the embedded MLS DB file — SANnav 5.3 Medium2024-11-21
CVE-2024-11193 YugabyteDB 安全漏洞 — YugabyteDB Anywhere 7.8AIHighAI2024-11-13
CVE-2024-11165 YugabyteDB 安全漏洞 — YugabyteDB Anywhere 4.9AIMediumAI2024-11-13
CVE-2024-52009 Git credentials are exposed in atlantis logs — atlantis 8.8 -2024-11-08
CVE-2024-51752 Refresh tokens are logged when the debug flag is enabled in @workos-inc/authkit-nextjs — authkit-nextjs 5.3AIMediumAI2024-11-05
CVE-2024-51753 Refresh tokens are logged when the debug flag is enabled in @workos-inc/authkit-remix — authkit-remix 5.3AIMediumAI2024-11-05
CVE-2024-51528 Huawei HarmonyOS和Huawei EMUI 安全漏洞 — HarmonyOS 4.0 Medium2024-11-05
CVE-2024-10544 Woo Manage Fraud Orders <= 2.6.1 - Unauthenticated Information Exposure via Log Files — Woo Manage Fraud Orders 5.3 Medium2024-10-31
CVE-2024-49750 Snowflake Connector for Python has sensitive data in logs — snowflake-connector-python 5.5 Medium2024-10-24
CVE-2023-22649 Rancher 'Audit Log' leaks sensitive information — rancher 8.4 High2024-10-16
CVE-2024-38862 SNMP and IMPI secrets written to audit log — Checkmk 4.9AIMediumAI2024-10-14
CVE-2024-8264 Sensitive information in agent log file when detailed logging is enabled with Robot Schedule Enterprise prior to version 3.05 — Robot Schedule Enterprise 5.5 Medium2024-10-09
CVE-2024-9466 Expedition: Cleartext Storage of Information Leads to Firewall Admin Credential Disclosure — Expedition 8.1AIHighAI2024-10-09
CVE-2024-47822 Directus inserts access token from query string into logs — directus 4.2 Medium2024-10-08
CVE-2024-9621 Io.quarkiverse.cxf:quarkus-cxf: quarkus cxf may log user password and secret to application log 5.3 Medium2024-10-08
CVE-2024-8609 Improper Access Control in Oceanic Software's ValeApp — ValeApp 7.5AIHighAI2024-09-27
CVE-2023-46175 IBM Cloud Pak for Multicloud Management information disclosure — Cloud Pak for Multicloud Management 4.4 Medium2024-09-26
CVE-2022-49037 Synology Drive 日志信息泄露漏洞 — Synology Drive Client 6.5 Medium2024-09-26
CVE-2024-7421 Devolutions Remote Desktop Manager 安全漏洞 — Remote Desktop Manager 7.1AIHighAI2024-09-25
CVE-2024-43990 WordPress Masterstudy LMS Starter theme <= 1.1.8 - Sensitive Data Exposure vulnerability — Masterstudy LMS Starter 5.3 Medium2024-09-25
CVE-2024-8775 Ansible-core: exposure of sensitive information in ansible vault files due to improper logging 5.5 Medium2024-09-14
CVE-2024-4472 Insertion of Sensitive Information into Log File in GitLab — GitLab 4.0 Medium2024-09-12

Vulnerabilities classified as CWE-532 (通过日志文件的信息暴露) represent 627 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.