Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-532 (通过日志文件的信息暴露) — Vulnerability Class 604

604 vulnerabilities classified as CWE-532 (通过日志文件的信息暴露). AI Chinese analysis included.

CWE-532 represents a critical information disclosure weakness where software inadvertently records sensitive data, such as passwords, credit card numbers, or personal identifiers, into log files. This vulnerability is typically exploited by attackers who gain access to these logs through insufficient file permissions, insecure storage practices, or compromised administrative accounts. Once accessed, the exposed data can be harvested for identity theft, financial fraud, or further system intrusion. To prevent this, developers must implement strict data sanitization protocols, ensuring that sensitive fields are masked or excluded before logging. Additionally, employing robust access controls and encryption for log storage, alongside regular audits of logging configurations, helps mitigate the risk of accidental exposure. By treating log files as potential repositories of confidential information, organizations can significantly reduce their attack surface and maintain compliance with data protection standards.

MITRE CWE Description
The product writes sensitive information to a log file.
Common Consequences (1)
ConfidentialityRead Application Data
Logging sensitive user data, full path names, or system information often provides attackers with an additional, less-protected path to acquiring the information.
Mitigations (4)
Architecture and Design, ImplementationConsider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
DistributionRemove debug log files before deploying the application into production.
OperationProtect log files against unauthorized read/write.
ImplementationAdjust configurations appropriately when software is transitioned from a debug state to production.
Examples (2)
In the following code snippet, a user's full name and credit card number are written to a log file.
logger.info("Username: " + usernme + ", CCN: " + ccn);
Bad · Java
This code stores location information about the current user:
locationClient = new LocationClient(this, this, this); locationClient.connect(); currentUser.setLocation(locationClient.getLastLocation()); ... catch (Exception e) { AlertDialog.Builder builder = new AlertDialog.Builder(this); builder.setMessage("Sorry, this application has experienced an error."); AlertDialog alert = builder.create(); alert.show(); Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString()); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2023-41253 BIG-IP DNS TSIG Key vulnerability — BIG-IP 5.5 Medium2023-10-10
CVE-2023-39447 BIG-IP APM Guided Configuration vulnerability — BIG-IP 4.4 Medium2023-10-10
CVE-2023-5182 Subiquity 日志信息泄露漏洞 — subiquity 5.5 Medium2023-10-06
CVE-2023-45241 Acronis Agent 日志信息泄露漏洞 — Acronis Cyber Protect Cloud Agent 7.5 -2023-10-05
CVE-2023-4380 Platform: token exposed at importing project — Red Hat Ansible Automation Platform 2.4 for RHEL 8 6.3 Medium2023-10-04
CVE-2023-3335 Information Exposure Vulnerability in Hitachi Ops Center Administrator — Hitachi Ops Center Administrator 6.5 Medium2023-10-03
CVE-2023-44155 Acronis Cyber Protect 安全漏洞 — Acronis Cyber Protect 15 7.5 -2023-09-27
CVE-2022-27599 QVR Pro Client — QVR Pro Client 6.7 Medium2023-09-08
CVE-2023-4688 Acronis Agent 日志信息泄露漏洞 — Acronis Agent 7.5 -2023-08-31
CVE-2023-39348 Improper log output when using GitHub Status Notifications in spinnaker — spinnaker 4.0 Medium2023-08-28
CVE-2023-38733 IBM Robotic Process Automation information disclosure — Robotic Process Automation 4.3 Medium2023-08-22
CVE-2023-38732 IBM Robotic Process Automation information disclosure — Robotic Process Automation 4.3 Medium2023-08-22
CVE-2023-32491 Dell PowerScale OneFS 日志信息泄露漏洞 — PowerScale OneFS 6.3 Medium2023-08-16
CVE-2023-4108 Audit logging fails to sanitize post metadata — Mattermost 4.5 Medium2023-08-11
CVE-2023-36494 F5OS-A vulnerability — F5OS - Appliance 4.4 Medium2023-08-02
CVE-2023-3993 Insertion of Sensitive Information into Log File in GitLab — GitLab 4.9 Medium2023-08-02
CVE-2023-31426 scp, sftp, ftp servers passwords in supportsave — Brocade Fabric OS 6.8 Medium2023-08-01
CVE-2023-32468 Dell EMC ECS 日志信息泄露漏洞 — ECS Streamer 5.8 Medium2023-07-26
CVE-2023-20891 VMware Tanzu Application Service for VMs and Isolation Segment information disclosure vulnerability — VMware Tanzu Application Service for VMs 6.5 Medium2023-07-26
CVE-2023-32478 Dell EMC PowerStore 日志信息泄露漏洞 — PowerStore 9.0 Critical2023-07-21
CVE-2023-26023 IBM Planning Analytics Cartridge for Cloud Pak for Data information disclosure — Sterling Connect:Express for UNIX 6.5 Medium2023-07-19
CVE-2023-3363 Insertion of Sensitive Information into Log File in GitLab — GitLab 3.9 Low2023-07-13
CVE-2023-20207 Cisco Duo 安全漏洞 — Cisco Duo Authentication Proxy 4.9 Medium2023-07-12
CVE-2023-38067 JetBrains TeamCity 日志信息泄露漏洞 — TeamCity 4.3 Medium2023-07-12
CVE-2023-38064 JetBrains TeamCity 日志信息泄露漏洞 — TeamCity 4.3 Medium2023-07-12
CVE-2023-26207 Fortinet FortiOS 日志信息泄露漏洞 — FortiProxy 3.3 Low2023-06-13
CVE-2023-2878 Kubernetes secrets-store-csi-driver discloses service account tokens in logs — secrets-store-csi-driver 6.5 Medium2023-06-07
CVE-2023-34097 Database password exposed in logs in hoppscotch — hoppscotch 7.8 High2023-06-05
CVE-2023-34223 JetBrains TeamCity 日志信息泄露漏洞 — TeamCity 4.3 Medium2023-05-31
CVE-2022-0010 QCS 800xA Vulnerability identified in system log files — QCS 800xA 7.8 High2023-05-22

Vulnerabilities classified as CWE-532 (通过日志文件的信息暴露) represent 604 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.