Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-532 (通过日志文件的信息暴露) — Vulnerability Class 604

604 vulnerabilities classified as CWE-532 (通过日志文件的信息暴露). AI Chinese analysis included.

CWE-532 represents a critical information disclosure weakness where software inadvertently records sensitive data, such as passwords, credit card numbers, or personal identifiers, into log files. This vulnerability is typically exploited by attackers who gain access to these logs through insufficient file permissions, insecure storage practices, or compromised administrative accounts. Once accessed, the exposed data can be harvested for identity theft, financial fraud, or further system intrusion. To prevent this, developers must implement strict data sanitization protocols, ensuring that sensitive fields are masked or excluded before logging. Additionally, employing robust access controls and encryption for log storage, alongside regular audits of logging configurations, helps mitigate the risk of accidental exposure. By treating log files as potential repositories of confidential information, organizations can significantly reduce their attack surface and maintain compliance with data protection standards.

MITRE CWE Description
The product writes sensitive information to a log file.
Common Consequences (1)
ConfidentialityRead Application Data
Logging sensitive user data, full path names, or system information often provides attackers with an additional, less-protected path to acquiring the information.
Mitigations (4)
Architecture and Design, ImplementationConsider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
DistributionRemove debug log files before deploying the application into production.
OperationProtect log files against unauthorized read/write.
ImplementationAdjust configurations appropriately when software is transitioned from a debug state to production.
Examples (2)
In the following code snippet, a user's full name and credit card number are written to a log file.
logger.info("Username: " + usernme + ", CCN: " + ccn);
Bad · Java
This code stores location information about the current user:
locationClient = new LocationClient(this, this, this); locationClient.connect(); currentUser.setLocation(locationClient.getLastLocation()); ... catch (Exception e) { AlertDialog.Builder builder = new AlertDialog.Builder(this); builder.setMessage("Sorry, this application has experienced an error."); AlertDialog alert = builder.create(); alert.show(); Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString()); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-37205 WordPress affiliate-toolkit plugin <= 3.4.4 - Sensitive Data Exposure via Log File vulnerability — affiliate-toolkit 5.3 Medium2024-07-10
CVE-2024-37270 WordPress TrustedLogin Vendor plugin < 1.1.1 - Sensitive Data Exposure vulnerability — TrustedLogin Vendor 5.3 Medium2024-07-10
CVE-2024-27784 Fortinet FortiAIOps 日志信息泄露漏洞 — FortiAIOps 8.3 High2024-07-09
CVE-2024-32757 American Dynamics Illustra Essentials Gen 4 - Linux Credential Leak — American Dynamics Illustra Essentials Gen 4 6.8 Medium2024-07-02
CVE-2023-30430 IBM Security Verify Access information disclosure — Security Verify Access 5.5 Medium2024-06-27
CVE-2024-28830 Automation user secrets written to audit log — Checkmk 2.7 Low2024-06-26
CVE-2024-29177 Dell PowerProtect Data Domain 日志信息泄露漏洞 — PowerProtect DD 2.7 Low2024-06-26
CVE-2024-6060 phloc-webbasics 安全漏洞 — Webscopes 7.1AIHighAI2024-06-25
CVE-2024-6104 go-retryablehttp can leak basic auth credentials to log files — Shared library 6.0 Medium2024-06-24
CVE-2022-44587 WordPress WP 2FA plugin <= 2.6.3 - Sensitive Data Exposure via Log File vulnerability — WP 2FA 5.3 Medium2024-06-21
CVE-2024-27157 Leak of authentication sessions in secure logs — Toshiba Tec e-Studio multi-function peripheral (MFP) 6.8 Medium2024-06-14
CVE-2024-27156 Leak of authentication sessions in secure logs — Toshiba Tec e-Studio multi-function peripheral (MFP) 6.8 Medium2024-06-14
CVE-2024-27154 Passwords are stored in clear-text logs. — Toshiba Tec e-Studio multi-function peripheral (MFP) 6.2 Medium2024-06-14
CVE-2024-5557 Schneider Electric SpaceLogic AS-P 日志信息泄露漏洞 — SpaceLogic AS-P 4.5 Medium2024-06-12
CVE-2024-5908 GlobalProtect App: Encrypted Credential Exposure via Log Files — GlobalProtect App 5.5AIMediumAI2024-06-12
CVE-2024-32811 WordPress USPS Shipping for WooCommerce – Live Rates plugin <= 1.9.4 - Sensitive Data Exposure via Log File vulnerability — USPS Shipping for WooCommerce – Live Rates 5.3 Medium2024-06-09
CVE-2024-0912 CCURE passwords exposed to administrators — Software House C•CURE 9000 7.5AIHighAI2024-06-05
CVE-2024-25095 WordPress Easy Forms for Mailchimp plugin <= 6.9.0 - Sensitive Data Exposure via Log File vulnerability — Easy Forms for Mailchimp 7.5 High2024-06-04
CVE-2024-34798 WordPress Debug Log – Manger Tool plugin <= 1.4.5 - Sensitive Data Exposure vulnerability — Debug Log – Manger Tool 5.3 Medium2024-06-03
CVE-2024-35196 Slack integration leaks sensitive information in logs in Sentry — sentry 2.0 Low2024-05-31
CVE-2024-34715 Partial Password Exposure Vulnerability in Fides Webserver Logs — fides 2.3 Low2024-05-29
CVE-2024-31216 source-controller leaks theAzure Storage SAS token into logs on connection errors — source-controller 5.1 Medium2024-05-15
CVE-2024-3744 Kubernetes azure-file-csi-driver in versions before 1.29.4 and 1.30.1 discloses service account tokens in logs — azure-file-csi-driver 6.5 Medium2024-05-15
CVE-2024-34706 @valtimo/components exposes access token to form.io — valtimo-frontend-libraries 9.8 Critical2024-05-13
CVE-2024-34353 matrix-sdk-crypto contains a log exposure of private key of the server-side key backup — matrix-sdk-crypto 5.5 Medium2024-05-13
CVE-2024-34550 WordPress Dynamics 365 Integration plugin <= 1.3.17 - Sensitive Data Exposure vulnerability — Dynamics 365 Integration 5.3 Medium2024-05-09
CVE-2024-34559 WordPress Ghost plugin <= 1.4.0 - Sensitive Data Exposure via Log File vulnerability — Ghost 7.5 High2024-05-09
CVE-2023-40694 IBM Watson CP4D Data Stores information disclosure — Watson CP4D Data Stores 6.2 Medium2024-05-07
CVE-2024-28072 Arbitrary File Overwrite Vulnerability — Serv-U 5.7 Medium2024-05-03
CVE-2024-33922 WordPress WP Media Cleaner plugin <= 6.7.2 - Sensitive Data Exposure via Log File vulnerability — WP Media Cleaner 5.3 Medium2024-05-02

Vulnerabilities classified as CWE-532 (通过日志文件的信息暴露) represent 604 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.