Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-532 (通过日志文件的信息暴露) — Vulnerability Class 604

604 vulnerabilities classified as CWE-532 (通过日志文件的信息暴露). AI Chinese analysis included.

CWE-532 represents a critical information disclosure weakness where software inadvertently records sensitive data, such as passwords, credit card numbers, or personal identifiers, into log files. This vulnerability is typically exploited by attackers who gain access to these logs through insufficient file permissions, insecure storage practices, or compromised administrative accounts. Once accessed, the exposed data can be harvested for identity theft, financial fraud, or further system intrusion. To prevent this, developers must implement strict data sanitization protocols, ensuring that sensitive fields are masked or excluded before logging. Additionally, employing robust access controls and encryption for log storage, alongside regular audits of logging configurations, helps mitigate the risk of accidental exposure. By treating log files as potential repositories of confidential information, organizations can significantly reduce their attack surface and maintain compliance with data protection standards.

MITRE CWE Description
The product writes sensitive information to a log file.
Common Consequences (1)
ConfidentialityRead Application Data
Logging sensitive user data, full path names, or system information often provides attackers with an additional, less-protected path to acquiring the information.
Mitigations (4)
Architecture and Design, ImplementationConsider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
DistributionRemove debug log files before deploying the application into production.
OperationProtect log files against unauthorized read/write.
ImplementationAdjust configurations appropriately when software is transitioned from a debug state to production.
Examples (2)
In the following code snippet, a user's full name and credit card number are written to a log file.
logger.info("Username: " + usernme + ", CCN: " + ccn);
Bad · Java
This code stores location information about the current user:
locationClient = new LocationClient(this, this, this); locationClient.connect(); currentUser.setLocation(locationClient.getLastLocation()); ... catch (Exception e) { AlertDialog.Builder builder = new AlertDialog.Builder(this); builder.setMessage("Sorry, this application has experienced an error."); AlertDialog alert = builder.create(); alert.show(); Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString()); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-11504 Quickcreator – AI Blog Writer 0.0.9 - 0.1.17 - Unauthenticated API Key Exposure — Quickcreator – AI Blog Writer 7.5 High2025-10-24
CVE-2025-62705 OpenBao and Vault Leak []byte Fields in Audit Logs — openbao 7.5AIHighAI2025-10-22
CVE-2025-62513 OpenBao leaks HTTPRawBody in Audit Logs — openbao 7.5AIHighAI2025-10-22
CVE-2025-46752 Fortinet FortiDLP 日志信息泄露漏洞 — FortiDLP 4.2 Medium2025-10-16
CVE-2025-20329 Cisco TelePresence Collaboration Endpoint and RoomOS Software Information Disclosure Vulnerability — Cisco RoomOS Software 4.9 Medium2025-10-15
CVE-2025-10486 Content Writer <= 3.6.8 - Unauthenticated Information Exposure via Log File — Content Writer 5.3 Medium2025-10-15
CVE-2025-59203 Windows State Repository API Server File Information Disclosure Vulnerability — Windows 10 Version 1507 5.5 Medium2025-10-14
CVE-2025-59197 Windows ETL Channel Information Disclosure Vulnerability — Windows 10 Version 1507 5.5 Medium2025-10-14
CVE-2025-47979 Microsoft Failover Cluster Information Disclosure Vulnerability — Windows Server 2022, 23H2 Edition (Server Core installation) 5.5 Medium2025-10-14
CVE-2025-59258 Windows Active Directory Federation Services (ADFS) Information Disclosure Vulnerability — Windows Server 2012 6.2 Medium2025-10-14
CVE-2025-31514 Fortinet FortiOS 日志信息泄露漏洞 — FortiProxy 2.6 Low2025-10-14
CVE-2025-37727 Elasticsearch Insertion of sensitive information in log file — Elasticsearch 5.7 Medium2025-10-10
CVE-2025-10645 WP Reset <= 2.05 - Unauthenticated Sensitive Information Exposure via wf-licensing.log — WP Reset 5.3 Medium2025-10-07
CVE-2023-50301 IBM Transformation Extender Advanced information disclosure — Transformation Extender Advanced 1.9 Low2025-10-01
CVE-2025-36144 IBM watsonx.data information disclosure — watsonx.data 3.3 Low2025-09-27
CVE-2025-9985 Featured Image from URL (FIFU) <= 5.2.7 - Unauthenticated Information Exposure via Log File — Featured Image from URL (FIFU) 5.3 Medium2025-09-26
CVE-2025-34188 Vasion Print (formerly PrinterLogic) Local Log Disclosure of Cleartext Sessions — Print Virtual Appliance Host 7.8 -2025-09-19
CVE-2025-34183 Ilevia EVE X1 Server 4.7.18.0.eden Credentials Leak Through Log Disclosure — EVE X1 Server 9.8AICriticalAI2025-09-16
CVE-2025-4234 Cortex XDR Microsoft 365 Defender Pack: Cleartext Exposure of Credentials — Cortex XDR Microsoft 365 Defender Pack 5.5 -2025-09-12
CVE-2025-43888 Dell PowerProtect Data Manager 日志信息泄露漏洞 — PowerProtect Data Manager 8.8 High2025-09-10
CVE-2025-10221 Hardcoded Password Exposure in AxxonNet (C-WerkNet) ARP Agent Logs — AxxonNet ARP Agent C-WerkNet 5.5 Medium2025-09-10
CVE-2025-7445 Kubernetes secrets-store-sync-controller discloses service account tokens in logs — secrets-store-sync-controller 6.5 Medium2025-09-05
CVE-2025-23261 NVIDIA Cumulus Linux和NVIDIA NVOS 日志信息泄露漏洞 — NVOS 5.5 Medium2025-09-04
CVE-2025-8663 upKeeper Manager 安全漏洞 — upKeeper Manager 7.5AIHighAI2025-09-03
CVE-2025-41690 Endress+Hauser: Proline 10 Maintenance credentials may be exposed under certain conditions — Promag 10 with HART 7.4 High2025-09-02
CVE-2025-36133 IBM App Connect Enterprise information disclosure — App Connect Enterprise Certified Container 5.9 Medium2025-09-01
CVE-2025-57813 Insertion of Sensitive Information into Log File in github.com/traPtitech/traQ — traQ 5.9 Medium2025-08-26
CVE-2025-3456 On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-c — EOS 3.8 Low2025-08-25
CVE-2025-55285 @backstage/plugin-scaffolder-backend Template Secret Leakage in Logs in Scaffolder When Using `fetch:template` — backstage 2.6 Low2025-08-15
CVE-2025-38745 Dell OpenManage Enterprise 日志信息泄露漏洞 — OpenManage Enterprise 4.8 Medium2025-08-14

Vulnerabilities classified as CWE-532 (通过日志文件的信息暴露) represent 604 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.