Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-532 (通过日志文件的信息暴露) — Vulnerability Class 604

604 vulnerabilities classified as CWE-532 (通过日志文件的信息暴露). AI Chinese analysis included.

CWE-532 represents a critical information disclosure weakness where software inadvertently records sensitive data, such as passwords, credit card numbers, or personal identifiers, into log files. This vulnerability is typically exploited by attackers who gain access to these logs through insufficient file permissions, insecure storage practices, or compromised administrative accounts. Once accessed, the exposed data can be harvested for identity theft, financial fraud, or further system intrusion. To prevent this, developers must implement strict data sanitization protocols, ensuring that sensitive fields are masked or excluded before logging. Additionally, employing robust access controls and encryption for log storage, alongside regular audits of logging configurations, helps mitigate the risk of accidental exposure. By treating log files as potential repositories of confidential information, organizations can significantly reduce their attack surface and maintain compliance with data protection standards.

MITRE CWE Description
The product writes sensitive information to a log file.
Common Consequences (1)
ConfidentialityRead Application Data
Logging sensitive user data, full path names, or system information often provides attackers with an additional, less-protected path to acquiring the information.
Mitigations (4)
Architecture and Design, ImplementationConsider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
DistributionRemove debug log files before deploying the application into production.
OperationProtect log files against unauthorized read/write.
ImplementationAdjust configurations appropriately when software is transitioned from a debug state to production.
Examples (2)
In the following code snippet, a user's full name and credit card number are written to a log file.
logger.info("Username: " + usernme + ", CCN: " + ccn);
Bad · Java
This code stores location information about the current user:
locationClient = new LocationClient(this, this, this); locationClient.connect(); currentUser.setLocation(locationClient.getLastLocation()); ... catch (Exception e) { AlertDialog.Builder builder = new AlertDialog.Builder(this); builder.setMessage("Sorry, this application has experienced an error."); AlertDialog alert = builder.create(); alert.show(); Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString()); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2022-4858 Insertion of Sensitive Information into Log File — M-Files Server 4.4 Medium2022-12-30
CVE-2022-43887 IBM Cognos Analytics information disclosure — Cognos Analytics 5.3 Medium2022-12-19
CVE-2022-4311 ARC Informatique PcVue 日志信息泄露漏洞 — PcVue 4.7 Medium2022-12-12
CVE-2022-33187 Brocade SANnav before v2.2.1 logs usernames and encoded passwords in debug-enabled logs — Brocade SANnav 5.5 Medium2022-12-09
CVE-2022-27895 A component in Foundry logging was found to be capturing sensitive information in logs. — Foundry Build2 4.2 Medium2022-11-15
CVE-2022-27896 The Foundry Code-Workbooks service was found to contain an issue leading to information disclosure. — Foundry Code-Workbooks 4.2 Medium2022-11-14
CVE-2022-35719 IBM MQ Internet Pass-Thru 日志日志信息泄露漏洞 — MQ Internet Pass-Thru 5.1 Medium2022-11-14
CVE-2022-39893 SAMSUNG Galaxy Buds Pro Manager 日志信息泄露漏洞 — Galaxy Buds Pro Manager 3.3 Low2022-11-09
CVE-2022-44745 Acronis Cyber Protect 日志信息泄露漏洞 — Acronis Cyber Protect Home Office 5.5 -2022-11-07
CVE-2022-27893 The Foundry Magritte plugin osisoft-pi-web-connector was found to be logging in a manner that captured authentication requests. — Foundry Magritte plugin osisoft-pi-web-connector 4.2 Medium2022-11-04
CVE-2021-44862 Sensitive Information store in NSClient logs — NSClient 8.4 High2022-11-03
CVE-2022-44624 JetBrains TeamCity 日志信息泄露漏洞 — TeamCity 6.5 Medium2022-11-03
CVE-2022-41553 Information Exposure Vulnerability in Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center Analyzer — Hitachi Infrastructure Analytics Advisor 6.5 Medium2022-11-01
CVE-2022-3191 Information Exposure Vulnerability in Hitachi Ops Center Analyzer — Hitachi Ops Center Analyzer 6.6 Medium2022-11-01
CVE-2022-31239 Dell PowerScale OneFS 日志信息泄露漏洞 — PowerScale OneFS 6.7 Medium2022-10-21
CVE-2022-39876 SAMSUNG Mobile devices 日志信息泄露漏洞 — Reminder 5.9 Medium2022-10-07
CVE-2022-23716 Elastic Cloud Enterprise 日志信息泄露漏洞 — Elastic Cloud Enterprise 6.5 -2022-09-28
CVE-2022-40979 JetBrains TeamCity 日志信息泄露漏洞 — TeamCity 4.4 Medium2022-09-23
CVE-2022-34369 Dell PowerScale OneFS 日志信息泄露漏洞 — PowerScale OneFS 8.1 High2022-09-02
CVE-2022-23715 Elastic Cloud Enterprise 日志信息泄露漏洞 — Elastic Cloud Enterprise 6.5 -2022-08-25
CVE-2022-38133 JetBrains TeamCity 日志信息泄露漏洞 — TeamCity 3.2 Low2022-08-10
CVE-2022-31119 Password disclosure in log file in Nextcloud Mail App — security-advisories 3.1 Low2022-08-04
CVE-2022-31186 Leakage of excessive information into log in next-auth — next-auth 3.3 Low2022-08-01
CVE-2022-36321 JetBrains TeamCity 日志信息泄露漏洞 — TeamCity 4.1 Medium2022-07-20
CVE-2022-33697 SAMSUNG Mobile devices ImsCore 日志信息泄露漏洞 — Samsung Mobile Devices 3.3 Low2022-07-11
CVE-2022-33688 SAMSUNG Mobile devices 日志信息泄露漏洞 — Samsung Mobile Devices 3.3 Low2022-07-11
CVE-2022-20768 Cisco TelePresence Collaboration Endpoint and RoomOS Software Information Disclosure Vulnerability — Cisco RoomOS Software 4.9 Medium2022-07-06
CVE-2022-27549 HCL Launch could disclose sensitive database information to a local user in plain text. — HCL Launch 4.0 Medium2022-07-06
CVE-2022-31098 Weave GitOps leaked cluster credentials into logs on connection errors — weave-gitops 9.0 Critical2022-06-27
CVE-2022-20651 Cisco Adaptive Security Device Manager Information Disclosure Vulnerability — Cisco Adaptive Security Device Manager (ASDM) 5.5 Medium2022-06-22

Vulnerabilities classified as CWE-532 (通过日志文件的信息暴露) represent 604 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.