Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-532 (通过日志文件的信息暴露) — Vulnerability Class 604

604 vulnerabilities classified as CWE-532 (通过日志文件的信息暴露). AI Chinese analysis included.

CWE-532 represents a critical information disclosure weakness where software inadvertently records sensitive data, such as passwords, credit card numbers, or personal identifiers, into log files. This vulnerability is typically exploited by attackers who gain access to these logs through insufficient file permissions, insecure storage practices, or compromised administrative accounts. Once accessed, the exposed data can be harvested for identity theft, financial fraud, or further system intrusion. To prevent this, developers must implement strict data sanitization protocols, ensuring that sensitive fields are masked or excluded before logging. Additionally, employing robust access controls and encryption for log storage, alongside regular audits of logging configurations, helps mitigate the risk of accidental exposure. By treating log files as potential repositories of confidential information, organizations can significantly reduce their attack surface and maintain compliance with data protection standards.

MITRE CWE Description
The product writes sensitive information to a log file.
Common Consequences (1)
ConfidentialityRead Application Data
Logging sensitive user data, full path names, or system information often provides attackers with an additional, less-protected path to acquiring the information.
Mitigations (4)
Architecture and Design, ImplementationConsider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
DistributionRemove debug log files before deploying the application into production.
OperationProtect log files against unauthorized read/write.
ImplementationAdjust configurations appropriately when software is transitioned from a debug state to production.
Examples (2)
In the following code snippet, a user's full name and credit card number are written to a log file.
logger.info("Username: " + usernme + ", CCN: " + ccn);
Bad · Java
This code stores location information about the current user:
locationClient = new LocationClient(this, this, this); locationClient.connect(); currentUser.setLocation(locationClient.getLastLocation()); ... catch (Exception e) { AlertDialog.Builder builder = new AlertDialog.Builder(this); builder.setMessage("Sorry, this application has experienced an error."); AlertDialog alert = builder.create(); alert.show(); Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString()); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-25923 WordPress Community by PeepSo plugin <= 6.2.7.0 - Sensitive Data Exposure via Log File vulnerability — Community by PeepSo 5.3 Medium2024-03-28
CVE-2024-29945 Splunk Authentication Token Exposure in Debug Log in Splunk Enterprise — Splunk Enterprise 7.2 High2024-03-27
CVE-2023-44989 WordPress CF7 Google Sheets Connector plugin <= 5.0.5 - Sensitive Data Exposure via Debug Log vulnerability — CF7 Google Sheets Connector 7.5 High2024-03-26
CVE-2024-25957 Dell Grab 日志信息泄露漏洞 — Grab for Windows 4.8 Medium2024-03-26
CVE-2022-36407 Information Exposure Vulnerability in Hitachi Disk Array Systems — Hitachi Virtual Storage Platform 9.9 Critical2024-03-25
CVE-2024-27097 Potential log injection in reset user endpoint in ckan — ckan 4.3 Medium2024-03-13
CVE-2023-43043 IBM Maximo Application Suite information disclosure — Maximo Application Suite - Maximo Mobile for EAM 5.1 Medium2024-03-13
CVE-2024-28236 Insecure Variable Substitution in Vela — worker 7.7 High2024-03-12
CVE-2024-28186 SMTP Mail Credentials Disclosed in Error Log in freescout — freescout 7.1 High2024-03-12
CVE-2023-6814 Information Exposure Vulnerability in Cosminexus Component Container — Cosminexus Component Container 5.6 Medium2024-03-12
CVE-2023-46171 IBM DS8900F information disclosure — DS8900F 4.3 Medium2024-03-07
CVE-2023-50740 Apache Linkis DataSource: DataSource module Oracle SQL Database Password Logged — Apache Linkis DataSource 7.5AIHighAI2024-03-06
CVE-2024-22352 IBM InfoSphere Information Server information disclosure — InfoSphere Information Server 6.5 Medium2024-03-05
CVE-2023-50951 IBM QRadar Suite information disclosure — QRadar Suite Software 4.0 Medium2024-02-17
CVE-2024-22337 IBM QRadar Suite information disclosure — QRadar Suite Software 5.1 Medium2024-02-17
CVE-2024-22336 IBM QRadar Suite information disclosure — QRadar Suite Software 5.1 Medium2024-02-17
CVE-2024-22335 IBM QRadar Suite information disclosure — QRadar Suite Software 5.1 Medium2024-02-17
CVE-2024-22464 Dell EMC AppSync 日志信息泄露漏洞 — AppSync 6.2 Medium2024-02-08
CVE-2024-23448 APM Server Insertion of Sensitive Information into Log File — APM Server 5.7 Medium2024-02-07
CVE-2024-24939 JetBrains Rider 安全漏洞 — Rider 3.3 Low2024-02-06
CVE-2024-0935 Insertion of Sensitive Information into Log File vulnerabilities affecting DELMIA Apriso Release 2019 through Release 2024 — DELMIA Apriso 4.4 Medium2024-02-01
CVE-2024-0831 Vault May Expose Sensitive Information When Configuring An Audit Log Device — Vault 4.5 Medium2024-02-01
CVE-2023-46230 Sensitive Information Disclosure to Internal Log Files in Splunk Add-on Builder — Splunk Add-on Builder 8.2 High2024-01-30
CVE-2023-46231 Session Token Disclosure to Internal Log Files in Splunk Add-on Builder — Splunk Add-on Builder 8.8 Medium2024-01-30
CVE-2024-23840 `goreleaser release --debug` shows secrets — goreleaser 5.5 Medium2024-01-30
CVE-2024-23791 Unnecessary data is written to log if issues during indexing occurs — OTRS 4.9 Medium2024-01-29
CVE-2023-51702 Apache Airflow CNCF Kubernetes provider, Apache Airflow: Kubernetes configuration file saved without encryption in the Metadata and logged as plain text in the Triggerer service — Apache Airflow CNCF Kubernetes provider 6.5 -2024-01-24
CVE-2024-23677 Server Response Disclosure in RapidDiag Salesforce.com Log File — Splunk Enterprise 4.3 Medium2024-01-22
CVE-2024-23686 DependencyCheck Debug Mode Logging of NVD API Key 6.2 -2024-01-19
CVE-2024-21668 Insertion of Sensitive Information into Log File in react-native-mmkv — react-native-mmkv 4.4 Medium2024-01-09

Vulnerabilities classified as CWE-532 (通过日志文件的信息暴露) represent 604 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.