Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-532 (通过日志文件的信息暴露) — Vulnerability Class 604

604 vulnerabilities classified as CWE-532 (通过日志文件的信息暴露). AI Chinese analysis included.

CWE-532 represents a critical information disclosure weakness where software inadvertently records sensitive data, such as passwords, credit card numbers, or personal identifiers, into log files. This vulnerability is typically exploited by attackers who gain access to these logs through insufficient file permissions, insecure storage practices, or compromised administrative accounts. Once accessed, the exposed data can be harvested for identity theft, financial fraud, or further system intrusion. To prevent this, developers must implement strict data sanitization protocols, ensuring that sensitive fields are masked or excluded before logging. Additionally, employing robust access controls and encryption for log storage, alongside regular audits of logging configurations, helps mitigate the risk of accidental exposure. By treating log files as potential repositories of confidential information, organizations can significantly reduce their attack surface and maintain compliance with data protection standards.

MITRE CWE Description
The product writes sensitive information to a log file.
Common Consequences (1)
ConfidentialityRead Application Data
Logging sensitive user data, full path names, or system information often provides attackers with an additional, less-protected path to acquiring the information.
Mitigations (4)
Architecture and Design, ImplementationConsider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
DistributionRemove debug log files before deploying the application into production.
OperationProtect log files against unauthorized read/write.
ImplementationAdjust configurations appropriately when software is transitioned from a debug state to production.
Examples (2)
In the following code snippet, a user's full name and credit card number are written to a log file.
logger.info("Username: " + usernme + ", CCN: " + ccn);
Bad · Java
This code stores location information about the current user:
locationClient = new LocationClient(this, this, this); locationClient.connect(); currentUser.setLocation(locationClient.getLastLocation()); ... catch (Exception e) { AlertDialog.Builder builder = new AlertDialog.Builder(this); builder.setMessage("Sorry, this application has experienced an error."); AlertDialog alert = builder.create(); alert.show(); Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString()); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2022-31047 Insertion of Sensitive Information into Log File in typo3/cms-core — typo3 5.3 Medium2022-06-14
CVE-2022-32254 Siemens SINEMA Remote Connect Server 日志信息泄露漏洞 — SINEMA Remote Connect Server 4.3 Medium2022-06-14
CVE-2022-20807 Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities — Cisco TelePresence Video Communication Server (VCS) Expressway 4.3 Medium2022-05-27
CVE-2022-20806 Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities — Cisco TelePresence Video Communication Server (VCS) Expressway 4.3 Medium2022-05-27
CVE-2022-20809 Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities — Cisco TelePresence Video Communication Server (VCS) Expressway 4.3 Medium2022-05-26
CVE-2022-29928 JetBrains TeamCity 日志信息泄露漏洞 — TeamCity 4.4 Medium2022-05-12
CVE-2022-28859 F5 BIG-IP 日志信息泄露漏洞 — BIG-IP 6.5 Medium2022-05-05
CVE-2022-27636 F5 BIG-IP APM 日志信息泄露漏洞 — BIG-IP APM 5.5 Medium2022-05-05
CVE-2022-27888 The Foundry Issues service was found to be logging in a manner that captured session tokens. — Foundry Issues 5.5 Medium2022-04-26
CVE-2022-24875 Potential Secrets being logged to disk in CVEProject/cve-services — cve-services 5.3 Medium2022-04-21
CVE-2022-24758 Insertion of Sensitive Information into Log File affects Jupyter Notebook — notebook 7.5 High2022-03-31
CVE-2022-24757 Sensitive Auth & Cookie data stored in Jupyter server logs — jupyter_server 7.5 High2022-03-23
CVE-2021-20180 Red Hat Ansible 日志信息泄露漏洞 — Ansible 5.5 -2022-03-16
CVE-2021-25009 CorreosExpress <= 2.6.0 - Sensitive Information Disclosure — CorreosExpress – Shipping Management – Tags 5.3 -2022-03-07
CVE-2022-0021 GlobalProtect App: Information Exposure Vulnerability When Using Connect Before Logon — GlobalProtect App 3.3 Low2022-02-10
CVE-2021-36289 Dell Vnx2 Oe For File 日志信息泄露漏洞 — VNX Control Station 7.8 High2022-01-25
CVE-2022-0338 Insertion of Sensitive Information into Log File in delgan/loguru — delgan/loguru 4.3 Medium2022-01-25
CVE-2021-41808 In M-Files Server product with versions before 21.11.10775.0, enabling logging of federated authentication would write sensitive information to event logs. — M-Files Server 2.0 Low2022-01-18
CVE-2021-44234 SAP Business One 日志信息泄露漏洞 — SAP Business One 5.5 -2022-01-14
CVE-2021-34797 Apache Geode project log file redaction of sensitive information vulnerability — Apache Geode 7.5 -2022-01-04
CVE-2021-36318 Dell Emc Avamar 日志信息泄露漏洞 — Avamar 6.7 Medium2021-12-21
CVE-2021-37861 Mattermost 日志信息泄露漏洞 — Mattermost 5.8 Medium2021-12-09
CVE-2021-34800 Sensitive information could be logged — Acronis Agent 7.5 -2021-11-29
CVE-2021-21561 Dell Technologies Dell PowerScale OneFS 日志信息泄露漏洞 — PowerScale OneFS 7.8 High2021-11-23
CVE-2021-36340 Dell Emc Secure Connect Gateway 日志信息泄露漏洞 — Secure Connect Gateway (SCG) 5.0 Application 7.8 High2021-11-20
CVE-2021-22030 Greenplum Database 日志信息泄露漏洞 — GPDB (Greenplum database) 6.5 -2021-11-19
CVE-2021-3791 Binatone Motorola-branded Camera 日志信息泄露漏洞 — Binatone Hubble Cameras 6.5 Medium2021-11-12
CVE-2021-40364 Siemens SIMATIC PCS 7和SIMATIC WinCC 日志信息泄露漏洞 — SIMATIC PCS 7 V8.2 5.5 Medium2021-11-09
CVE-2020-10052 SIMATIC RTLS 日志信息泄露漏洞 — SIMATIC RTLS Locating Manager 7.1 -2021-11-09
CVE-2021-23046 F5 BIG-IP 日志信息泄露漏洞 — BIG-IP Guided Configuration 4.9 -2021-09-14

Vulnerabilities classified as CWE-532 (通过日志文件的信息暴露) represent 604 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.