Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-532 (通过日志文件的信息暴露) — Vulnerability Class 604

604 vulnerabilities classified as CWE-532 (通过日志文件的信息暴露). AI Chinese analysis included.

CWE-532 represents a critical information disclosure weakness where software inadvertently records sensitive data, such as passwords, credit card numbers, or personal identifiers, into log files. This vulnerability is typically exploited by attackers who gain access to these logs through insufficient file permissions, insecure storage practices, or compromised administrative accounts. Once accessed, the exposed data can be harvested for identity theft, financial fraud, or further system intrusion. To prevent this, developers must implement strict data sanitization protocols, ensuring that sensitive fields are masked or excluded before logging. Additionally, employing robust access controls and encryption for log storage, alongside regular audits of logging configurations, helps mitigate the risk of accidental exposure. By treating log files as potential repositories of confidential information, organizations can significantly reduce their attack surface and maintain compliance with data protection standards.

MITRE CWE Description
The product writes sensitive information to a log file.
Common Consequences (1)
ConfidentialityRead Application Data
Logging sensitive user data, full path names, or system information often provides attackers with an additional, less-protected path to acquiring the information.
Mitigations (4)
Architecture and Design, ImplementationConsider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
DistributionRemove debug log files before deploying the application into production.
OperationProtect log files against unauthorized read/write.
ImplementationAdjust configurations appropriately when software is transitioned from a debug state to production.
Examples (2)
In the following code snippet, a user's full name and credit card number are written to a log file.
logger.info("Username: " + usernme + ", CCN: " + ccn);
Bad · Java
This code stores location information about the current user:
locationClient = new LocationClient(this, this, this); locationClient.connect(); currentUser.setLocation(locationClient.getLastLocation()); ... catch (Exception e) { AlertDialog.Builder builder = new AlertDialog.Builder(this); builder.setMessage("Sorry, this application has experienced an error."); AlertDialog alert = builder.create(); alert.show(); Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString()); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2023-21492 SAMSUNG Mobile devices 日志信息泄露漏洞 — Samsung Mobile Devices 4.4 Medium2023-05-04
CVE-2023-31207 Automation user secret logged to Apache access log — Checkmk 4.4 Medium2023-05-02
CVE-2023-1786 sensitive data exposure in cloud-init logs — cloud-init 5.5 Medium2023-04-26
CVE-2023-30618 Sensitive Terraform Output Values Printed At Info Logging Level In Kitchen-Terraform — kitchen-terraform 3.2 Low2023-04-21
CVE-2022-2084 sensitive data exposure in cloud-init logs — cloud-init 5.5 Medium2023-04-19
CVE-2021-3429 sensitive data exposure in cloud-init logs — cloud-init 5.5 Medium2023-04-19
CVE-2023-30610 AWS SDK for Rust will log AWS credentials when TRACE-level logging is enabled for request sending — aws-sdk-rust 5.5 Medium2023-04-19
CVE-2023-29002 Debug mode leaks confidential data in Cilium — cilium 7.2 High2023-04-18
CVE-2022-48435 JetBrains PhpStorm 日志信息泄露漏洞 — PhpStorm 3.3 Low2023-04-04
CVE-2022-43772 Hitachi Vantara Pentaho Business Analytics Server - Insertion of Sensitive Information into Log File — Pentaho Business Analytics Server 3.8 Low2023-04-03
CVE-2023-1550 NGINX Agent vulnerability CVE-2023-1550 — NGINX Agent 5.5 Medium2023-03-29
CVE-2023-28630 Sensitive information disclosure possible on misconfigured failed backups of non-H2 databases in gocd — gocd 4.2 Medium2023-03-27
CVE-2021-3684 Red Hat OpenShift Assisted Installer 日志信息泄露漏洞 — assisted-installer 5.5 -2023-03-24
CVE-2023-28443 directus vulnerable to Insertion of Sensitive Information into Log File — directus 4.2 Medium2023-03-23
CVE-2023-28441 smartCARS 3 Password Stored as plain text in Error Log — smartcars-3-bugs 8.0 High2023-03-23
CVE-2023-22481 Sensitive information exposure in the logs of greader API in FreshRSS — FreshRSS 4.0 Medium2023-03-06
CVE-2022-43923 IBM Maximo Application Suite 日志信息泄露漏洞 — Maximo Application Suite 6.2 Medium2023-02-24
CVE-2023-0815 Plaintext Password Present in the Web logs — Meridian 6.8 Medium2023-02-23
CVE-2022-43870 IBM Spectrum Virtualize information disclosure — Spectrum Virtualize 6.5 Medium2023-02-22
CVE-2022-43954 Fortinet FortiPortal 日志信息泄露漏洞 — FortiPortal 4.1 Medium2023-02-16
CVE-2023-25163 Argo CD leaks repository credentials in user-facing error messages and in logs — argo-cd 6.3 Medium2023-02-08
CVE-2023-25164 Sensitive Information leak via Script File in TinaCMS — tinacms 8.6 High2023-02-08
CVE-2023-22575 Dell PowerScale OneFS 日志信息泄露漏洞 — PowerScale OneFS 8.7 High2023-02-01
CVE-2023-22573 Dell PowerScale OneFS 日志信息泄露漏洞 — PowerScale OneFS 7.9 High2023-02-01
CVE-2023-22574 Dell PowerScale OneFS 日志信息泄露漏洞 — PowerScale OneFS 8.1 High2023-02-01
CVE-2023-22572 Dell PowerScale OneFS 日志信息泄露漏洞 — PowerScale OneFS 7.8 High2023-02-01
CVE-2022-45098 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 6.1 Medium2023-02-01
CVE-2021-39011 IBM Cloud Pak for Security information disclosure — Cloud Pak for Security 4.2 Medium2023-01-20
CVE-2023-22733 Improper Output Neutralization in Log Module in shopware — platform 2.7 Low2023-01-17
CVE-2022-23506 Spinnaker's Rosco microservice vulnerable to improper log masking on AWS Packer builds — spinnaker 4.3 Medium2023-01-03

Vulnerabilities classified as CWE-532 (通过日志文件的信息暴露) represent 604 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.