Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-532 (通过日志文件的信息暴露) — Vulnerability Class 604

604 vulnerabilities classified as CWE-532 (通过日志文件的信息暴露). AI Chinese analysis included.

CWE-532 represents a critical information disclosure weakness where software inadvertently records sensitive data, such as passwords, credit card numbers, or personal identifiers, into log files. This vulnerability is typically exploited by attackers who gain access to these logs through insufficient file permissions, insecure storage practices, or compromised administrative accounts. Once accessed, the exposed data can be harvested for identity theft, financial fraud, or further system intrusion. To prevent this, developers must implement strict data sanitization protocols, ensuring that sensitive fields are masked or excluded before logging. Additionally, employing robust access controls and encryption for log storage, alongside regular audits of logging configurations, helps mitigate the risk of accidental exposure. By treating log files as potential repositories of confidential information, organizations can significantly reduce their attack surface and maintain compliance with data protection standards.

MITRE CWE Description
The product writes sensitive information to a log file.
Common Consequences (1)
ConfidentialityRead Application Data
Logging sensitive user data, full path names, or system information often provides attackers with an additional, less-protected path to acquiring the information.
Mitigations (4)
Architecture and Design, ImplementationConsider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
DistributionRemove debug log files before deploying the application into production.
OperationProtect log files against unauthorized read/write.
ImplementationAdjust configurations appropriately when software is transitioned from a debug state to production.
Examples (2)
In the following code snippet, a user's full name and credit card number are written to a log file.
logger.info("Username: " + usernme + ", CCN: " + ccn);
Bad · Java
This code stores location information about the current user:
locationClient = new LocationClient(this, this, this); locationClient.connect(); currentUser.setLocation(locationClient.getLastLocation()); ... catch (Exception e) { AlertDialog.Builder builder = new AlertDialog.Builder(this); builder.setMessage("Sorry, this application has experienced an error."); AlertDialog alert = builder.create(); alert.show(); Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString()); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2020-10763 Red Hat OpenShift Container Storage 日志信息泄露漏洞 — heketi 5.5 -2020-11-24
CVE-2020-2048 PAN-OS: System proxy passwords may be logged in clear text while viewing system state — PAN-OS 3.3 Low2020-11-12
CVE-2020-11646 GateManager Log Information Disclosure Vulnerability — GateManager 4.3 Medium2020-10-15
CVE-2020-11643 GateManager Information Disclosure Vulnerability — GateManager 6.5 Medium2020-10-15
CVE-2020-5389 Dell EMC OpenManage Integration 日志信息泄露漏洞 — OMIMSSC (OpenManage Integration for Microsoft System Center) 6.5 -2020-10-08
CVE-2020-14330 Red Hat Ansible 安全漏洞 — Ansible 5.0 Medium2020-09-11
CVE-2020-2043 PAN-OS: Passwords may be logged in clear text when using after-change-detail custom syslog field for config logs — PAN-OS 3.3 Low2020-09-09
CVE-2020-2044 PAN-OS: Passwords may be logged in clear text while storing operational command (op command) history — PAN-OS 3.3 Low2020-09-09
CVE-2020-7322 Exposure of Sensitive Information in ENS for Windows — Endpoint Security for Windows 4.7 Medium2020-09-09
CVE-2020-14518 Philips DreamMapper Insertion of Sensitive Information into Log File — DreamMapper 5.3 Medium2020-08-21
CVE-2020-3447 Cisco Email Security Appliance and Cisco Content Security Management Appliance Information Disclosure Vulnerability — Cisco Email Security Appliance (ESA) 5.5 Medium2020-08-17
CVE-2020-15095 Sensitive information exposure through logs in npm cli — cli 4.4 Medium2020-07-07
CVE-2020-10750 jaegertracing/jaeger 日志信息泄露漏洞 — jaegertracing/jaeger 7.1 High2020-06-19
CVE-2020-12023 Philips IntelliBridge Enterprise IBE Insertion of Sensitive Information into Log File — IntelliBridge Enterprise (IBE) 2.0 Low2020-06-11
CVE-2020-11094 Potential unauthorized access to stored request & session data when plugin is misconfigured in October CMS Debugbar — debugbar-plugin 6.1 Medium2020-06-03
CVE-2020-3281 Cisco Digital Network Architecture Center Information Disclosure Vulnerability — Cisco Digital Network Architecture Center (DNA Center) 8.8 -2020-06-03
CVE-2020-11932 Subiquity server installer logged LUKS full disk encryption password — Subiquity 2.3 Low2020-05-13
CVE-2020-10712 Red Hat OpenShift Container Platform 日志信息泄露漏洞 — openshift/cluster-image-registry-operator 7.0 High2020-04-22
CVE-2020-1624 Junos OS Evolved: objmon logs may leak sensitive information — Junos OS Evolved 5.5 Medium2020-04-08
CVE-2020-1623 Junos OS Evolved: ev.ops file may leak sensitive information — Junos OS Evolved 5.5 Medium2020-04-08
CVE-2020-5262 GitHub personal access token leaking into temporary EasyBuild (debug) logs — easybuild-framework 7.7 High2020-03-19
CVE-2019-18576 Dell EMC XtremIO XMS 日志信息泄露漏洞 — XtremIO 6.7 -2020-03-13
CVE-2019-19756 Lenovo XClarity Administrator 日志信息泄露漏洞 — XClarity Administrator (LXCA) 7.9 High2020-03-13
CVE-2018-20105 yast2-rmt exposes CA private key passhrase in log-file — SUSE Linux Enterprise Server 15 4.0 Medium2020-01-27
CVE-2020-5225 Log injection in SimpleSAMLphp — SimpleSAMLphp 4.4 Medium2020-01-24
CVE-2019-14885 Red Hat JBoss Enterprise Application Platform 日志信息泄露漏洞 — JBoss EAP 6.5 -2020-01-23
CVE-2019-18244 OSIsoft PI Vision 日志信息泄露漏洞 — OSIsoft PI System multiple products and versions 4.7 -2020-01-15
CVE-2019-11292 Pivotal Ops Manager logs query parameters in tomcat access file — Pivotal Ops Manager 6.5 -2020-01-08
CVE-2019-11293 UAA logs all query parameters with debug logging level — UAA Release 6.5 -2019-12-06
CVE-2019-10195 Red Hat FreeIPA 日志信息泄露漏洞 — IPA 8.1 -2019-11-27

Vulnerabilities classified as CWE-532 (通过日志文件的信息暴露) represent 604 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.