Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-532 (通过日志文件的信息暴露) — Vulnerability Class 604

604 vulnerabilities classified as CWE-532 (通过日志文件的信息暴露). AI Chinese analysis included.

CWE-532 represents a critical information disclosure weakness where software inadvertently records sensitive data, such as passwords, credit card numbers, or personal identifiers, into log files. This vulnerability is typically exploited by attackers who gain access to these logs through insufficient file permissions, insecure storage practices, or compromised administrative accounts. Once accessed, the exposed data can be harvested for identity theft, financial fraud, or further system intrusion. To prevent this, developers must implement strict data sanitization protocols, ensuring that sensitive fields are masked or excluded before logging. Additionally, employing robust access controls and encryption for log storage, alongside regular audits of logging configurations, helps mitigate the risk of accidental exposure. By treating log files as potential repositories of confidential information, organizations can significantly reduce their attack surface and maintain compliance with data protection standards.

MITRE CWE Description
The product writes sensitive information to a log file.
Common Consequences (1)
ConfidentialityRead Application Data
Logging sensitive user data, full path names, or system information often provides attackers with an additional, less-protected path to acquiring the information.
Mitigations (4)
Architecture and Design, ImplementationConsider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
DistributionRemove debug log files before deploying the application into production.
OperationProtect log files against unauthorized read/write.
ImplementationAdjust configurations appropriately when software is transitioned from a debug state to production.
Examples (2)
In the following code snippet, a user's full name and credit card number are written to a log file.
logger.info("Username: " + usernme + ", CCN: " + ccn);
Bad · Java
This code stores location information about the current user:
locationClient = new LocationClient(this, this, this); locationClient.connect(); currentUser.setLocation(locationClient.getLastLocation()); ... catch (Exception e) { AlertDialog.Builder builder = new AlertDialog.Builder(this); builder.setMessage("Sorry, this application has experienced an error."); AlertDialog alert = builder.create(); alert.show(); Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString()); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-0936 Insertion of Sensitive Information into Logfile — Process Visualization Interface (PVI) 5.0 Medium2026-01-29
CVE-2025-13925 Multiple vulnerabilities in IBM Aspera Console — Aspera Console 4.9 Medium2026-01-20
CVE-2025-59355 Apache Linkis: Password Exposure — Apache Linkis 7.5AIHighAI2026-01-19
CVE-2026-22782 RustFS RPC signature verification logs shared secret — rustfs 7.5 -2026-01-16
CVE-2025-68675 Apache Airflow: proxy credentials for various providers might leak in task logs — Apache Airflow 7.5 -2026-01-16
CVE-2026-23493 Pimcore ENV Variables and Cookie Informations are exposed in http_error_log — pimcore 8.6 High2026-01-15
CVE-2026-20818 Windows Kernel Information Disclosure Vulnerability — Windows Server 2016 6.2 Medium2026-01-13
CVE-2026-22798 hermes's raw options logging may disclose secrets passed in via subcommand options argument — hermes 5.9 Medium2026-01-12
CVE-2025-68919 Fujitsu多款产品和Fsas多款产品 日志信息泄露漏洞 — ETERNUS SF ACM/SC/Express 5.6 Medium2025-12-24
CVE-2025-14437 Hummingbird <= 3.18.0 - Unauthenticated Sensitive Information Exposure via Log File — Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN 7.5 High2025-12-18
CVE-2025-13321 Mattermost Desktop App logging sensitive information and fails to clear data on server deletion — Mattermost 3.3 Low2025-12-17
CVE-2025-14432 Poly Video - Sensitive Data Might Be Written to Log File — Poly G7500 4.9AIMediumAI2025-12-16
CVE-2025-13743 Expired Personal Access Tokens (PATs) are recorded in Docker Desktop diagnostic logs — Docker Desktop 7.5AIHighAI2025-12-09
CVE-2024-47570 Fortinet多款产品 日志信息泄露漏洞 — FortiSASE 6.3 Medium2025-12-09
CVE-2025-64650 IBM Storage Defender - Resiliency Service Information Disclosure — Storage Defender - Resiliency Service 6.5 Medium2025-12-08
CVE-2020-36876 ReQuest Serious Play F3 Media Server <= 7.0.3 Debug Log Disclosure2020 — ReQuest Serious Play Pro 7.5 -2025-12-05
CVE-2025-12996 Medtronic CareLink Network 安全漏洞 — CareLink Network 4.1 Medium2025-12-04
CVE-2025-66411 Coder logged sensitive objects unsanitized — coder 7.8 High2025-12-03
CVE-2025-13611 Insertion of Sensitive Information into Log File in GitLab — GitLab 2.0 Low2025-11-26
CVE-2025-20373 Sensitive Information Disclosure in “_internal“ index through Splunk Add-On for Palo Alto Networks — Splunk Add-on for Palo Alto Networks 2.7 Low2025-11-26
CVE-2025-11446 upKeeper Manager 安全漏洞 — upKeeper Manager 7.5AIHighAI2025-11-19
CVE-2025-62209 Windows License Manager Information Disclosure Vulnerability — Windows 10 Version 1507 5.5 Medium2025-11-11
CVE-2025-62208 Windows License Manager Information Disclosure Vulnerability — Windows 10 Version 1507 5.5 Medium2025-11-11
CVE-2025-12940 Credentials recorded in logs in NETGEAR WAX610 and WAX610Y — WAX610 6.5 -2025-11-11
CVE-2025-11008 CE21 Suite <= 2.3.1 - Unauthenticated Sensitive Information Exposure to Privilege Escalation — CE21 Suite 9.8 Critical2025-11-04
CVE-2025-40603 SonicWall SMA100 Series 安全漏洞 — SMA100 4.9 -2025-10-31
CVE-2025-62232 Apache APISIX: basic-auth logs plaintext credentials at info level — Apache APISIX 6.5 -2025-10-31
CVE-2024-58269 Rancher exposes sensitive information through audit logs — rancher 4.3 Medium2025-10-29
CVE-2025-62262 Liferay Portal和Liferay DXP 日志信息泄露漏洞 — Portal 3.3AILowAI2025-10-27
CVE-2025-11248 Sensitive Information Logged — ManageEngine Endpoint Central 3.2 Low2025-10-27

Vulnerabilities classified as CWE-532 (通过日志文件的信息暴露) represent 604 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.