Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-532 (通过日志文件的信息暴露) — Vulnerability Class 604

604 vulnerabilities classified as CWE-532 (通过日志文件的信息暴露). AI Chinese analysis included.

CWE-532 represents a critical information disclosure weakness where software inadvertently records sensitive data, such as passwords, credit card numbers, or personal identifiers, into log files. This vulnerability is typically exploited by attackers who gain access to these logs through insufficient file permissions, insecure storage practices, or compromised administrative accounts. Once accessed, the exposed data can be harvested for identity theft, financial fraud, or further system intrusion. To prevent this, developers must implement strict data sanitization protocols, ensuring that sensitive fields are masked or excluded before logging. Additionally, employing robust access controls and encryption for log storage, alongside regular audits of logging configurations, helps mitigate the risk of accidental exposure. By treating log files as potential repositories of confidential information, organizations can significantly reduce their attack surface and maintain compliance with data protection standards.

MITRE CWE Description
The product writes sensitive information to a log file.
Common Consequences (1)
ConfidentialityRead Application Data
Logging sensitive user data, full path names, or system information often provides attackers with an additional, less-protected path to acquiring the information.
Mitigations (4)
Architecture and Design, ImplementationConsider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
DistributionRemove debug log files before deploying the application into production.
OperationProtect log files against unauthorized read/write.
ImplementationAdjust configurations appropriately when software is transitioned from a debug state to production.
Examples (2)
In the following code snippet, a user's full name and credit card number are written to a log file.
logger.info("Username: " + usernme + ", CCN: " + ccn);
Bad · Java
This code stores location information about the current user:
locationClient = new LocationClient(this, this, this); locationClient.connect(); currentUser.setLocation(locationClient.getLastLocation()); ... catch (Exception e) { AlertDialog.Builder builder = new AlertDialog.Builder(this); builder.setMessage("Sorry, this application has experienced an error."); AlertDialog alert = builder.create(); alert.show(); Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString()); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-2877 Vault Enterprise Leaks Sensitive HTTP Request Headers in the Audit Log When Deployed With a Performance Standby Node — Vault Enterprise 5.5 Medium2024-04-30
CVE-2024-33637 WordPress Solid Affiliate plugin <= 1.9.1 - Sensitive Data Exposure via Log File vulnerability — Solid Affiliate 7.5 High2024-04-29
CVE-2024-32788 WordPress FG Joomla to Wordpress plugin <= 4.20.2 - Sensitive Data Exposure via Log File vulnerability — FG Joomla to WordPress 5.3 Medium2024-04-24
CVE-2024-32953 WordPress Newsletters plugin <= 4.9.5 - Sensitive Data Exposure vulnerability — Newsletters 7.5 High2024-04-24
CVE-2023-6833 Information Exposure Vulnerability in Hitachi Ops Center Administrator — Hitachi Ops Center Administrator 4.4 Medium2024-04-23
CVE-2023-22869 IBM Aspera Faspex information disclosure — Aspera Faspex 5.5 Medium2024-04-19
CVE-2024-29959 Brocade Fabric OS switch encrypted passwords in the Brocade SANnav Standby node's support save — Brocade SANnav 8.6 High2024-04-19
CVE-2024-29958 Encryption key in the console when a privileged user executes the script to replace the Brocade SANnav Management Portal standby node. — Brocade SANnav 7.5 High2024-04-19
CVE-2024-29957 Encryption key is stored in the DR log files — Brocade SANnav 7.5 High2024-04-19
CVE-2024-32686 WordPress Backup Migration plugin <= 1.4.3 - Sensitive Data Exposure via Log vulnerability — Backup Migration 5.3 Medium2024-04-18
CVE-2024-29955 Insertion of Sensitive Information into Brocade SANnav Log File — Brocade SANnav 5.0 Medium2024-04-17
CVE-2024-32513 WordPress Product Feed PRO for WooCommerce plugin <= 13.3.1 - Sensitive Data Exposure vulnerability — Product Feed PRO for WooCommerce 5.3 Medium2024-04-17
CVE-2024-22440 HPE Compute Scale-up Server 3200 Server, Disclosure of Sensitive Information — HPE Compute Scale-up Server 3200 Server 6.8 Medium2024-04-17
CVE-2024-22339 IBM UrbanCode Deploy information disclosure — UrbanCode Deploy 4.3 Medium2024-04-12
CVE-2024-31391 Apache Solr Operator: Solr-Operator liveness and readiness probes may leak basic auth credentials — Apache Solr Operator 7.5 -2024-04-12
CVE-2024-31245 WordPress ConvertKit plugin <= 2.4.5 - Email Disclosure in Log File vulnerability — ConvertKit 5.3 Medium2024-04-10
CVE-2024-31247 WordPress FG Drupal to WordPress plugin <= 3.70.3 - Sensitive Data Exposure via Log File vulnerability — FG Drupal to WordPress 5.3 Medium2024-04-10
CVE-2024-31249 WordPress Subscribe To Comments Reloaded plugin <= 220725 - Sensitive Data Exposure vulnerability — Subscribe To Comments Reloaded 5.3 Medium2024-04-10
CVE-2024-31254 WordPress WordPress Backup & Migration plugin <= 1.4.7 - Sensitive Data Exposure via Log File vulnerability — WordPress Backup & Migration 3.7 Low2024-04-10
CVE-2024-31259 WordPress SearchIQ plugin <= 4.5 - Sensitive Data Exposure via Log File vulnerability — SearchIQ 7.5 High2024-04-10
CVE-2024-31298 WordPress User Spam Remover plugin <= 1.0 - Sensitive Data Exposure via Log File vulnerability — User Spam Remover 5.3 Medium2024-04-10
CVE-2024-31353 WordPress Slideshow Gallery LITE plugin <= 1.7.8 - Sensitive Data Exposure vulnerability — Slideshow Gallery 5.3 Medium2024-04-10
CVE-2024-2302 Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) <= 3.2.9 - Sensitive Information Exposure — Easy Digital Downloads – eCommerce Payments and Subscriptions made easy 5.3 Medium2024-04-09
CVE-2024-25030 IBM DB2 日志信息泄露漏洞 — Db2 for Linux, UNIX and Windows 6.2 Medium2024-04-03
CVE-2024-3165 Database Credential Exposure in the Logs — dotCMS core 4.5 Medium2024-04-01
CVE-2024-30523 WordPress Paid Memberships Pro – Mailchimp Add On plugin <= 2.3.4 - Sensitive Data Exposure vulnerability — Paid Memberships Pro – Mailchimp Add On 5.3 Medium2024-03-31
CVE-2024-30511 WordPress FG PrestaShop to WooCommerce plugin <= 4.45.1 - Sensitive Data Exposure via Log File vulnerability — FG PrestaShop to WooCommerce 5.3 Medium2024-03-29
CVE-2024-30514 WordPress Paid Memberships Pro – Payfast Gateway Add On plugin <= 1.4.1 - Sensitive Data Exposure via Log File vulnerability — Paid Memberships Pro – Payfast Gateway Add On 5.3 Medium2024-03-29
CVE-2024-25959 Dell PowerScale OneFS 日志信息泄露漏洞 — PowerScale OneFS 7.9 High2024-03-28
CVE-2024-22138 WordPress Seraphinite Accelerator plugin <= 2.20.47 - Sensitive Data Exposure via Log File vulnerability — Seraphinite Accelerator 5.3 Medium2024-03-28

Vulnerabilities classified as CWE-532 (通过日志文件的信息暴露) represent 604 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.