Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-532 (通过日志文件的信息暴露) — Vulnerability Class 604

604 vulnerabilities classified as CWE-532 (通过日志文件的信息暴露). AI Chinese analysis included.

CWE-532 represents a critical information disclosure weakness where software inadvertently records sensitive data, such as passwords, credit card numbers, or personal identifiers, into log files. This vulnerability is typically exploited by attackers who gain access to these logs through insufficient file permissions, insecure storage practices, or compromised administrative accounts. Once accessed, the exposed data can be harvested for identity theft, financial fraud, or further system intrusion. To prevent this, developers must implement strict data sanitization protocols, ensuring that sensitive fields are masked or excluded before logging. Additionally, employing robust access controls and encryption for log storage, alongside regular audits of logging configurations, helps mitigate the risk of accidental exposure. By treating log files as potential repositories of confidential information, organizations can significantly reduce their attack surface and maintain compliance with data protection standards.

MITRE CWE Description
The product writes sensitive information to a log file.
Common Consequences (1)
ConfidentialityRead Application Data
Logging sensitive user data, full path names, or system information often provides attackers with an additional, less-protected path to acquiring the information.
Mitigations (4)
Architecture and Design, ImplementationConsider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
DistributionRemove debug log files before deploying the application into production.
OperationProtect log files against unauthorized read/write.
ImplementationAdjust configurations appropriately when software is transitioned from a debug state to production.
Examples (2)
In the following code snippet, a user's full name and credit card number are written to a log file.
logger.info("Username: " + usernme + ", CCN: " + ccn);
Bad · Java
This code stores location information about the current user:
locationClient = new LocationClient(this, this, this); locationClient.connect(); currentUser.setLocation(locationClient.getLastLocation()); ... catch (Exception e) { AlertDialog.Builder builder = new AlertDialog.Builder(this); builder.setMessage("Sorry, this application has experienced an error."); AlertDialog alert = builder.create(); alert.show(); Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString()); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-42935 Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform(Internet Communication Manager) — SAP NetWeaver AS for ABAP and ABAP Platform(Internet Communication Manager) 4.1 Medium2025-08-12
CVE-2025-8864 YugabyteDB 安全漏洞 — YugabyteDB Anywhere 6.5 -2025-08-11
CVE-2025-48709 BMC Control-M/Server cleartext database credentials in process lists and logs — Control-M/Server 3.8 Low2025-08-07
CVE-2025-54781 Himmelblau leaks an Intune service access token in its logs — himmelblau 2.8 Low2025-08-01
CVE-2025-23289 NVIDIA Omniverse Launcher 日志信息泄露漏洞 — NVIDIA Omniverse Launcher 5.5 Medium2025-07-31
CVE-2025-26332 Dell Data Protection Advisor 日志信息泄露漏洞 — TechAdvisor 8.8 High2025-07-30
CVE-2025-30105 Dell XtremIO 日志信息泄露漏洞 — XtremIO 8.8 High2025-07-30
CVE-2025-53649 SwitchBot 日志信息泄露漏洞 — SwitchBot App for iOS/Android 6.5AIMediumAI2025-07-29
CVE-2025-54120 PCL Community Edition exposes login credentials in logs — PCL2-CE 7.5 -2025-07-23
CVE-2025-43485 Poly Clariti Manager - Multiple Security Vulnerabilities — Poly Clariti Manager 4.9 -2025-07-22
CVE-2025-7371 Okta On-Premises Provisioning Agent 日志信息泄露漏洞 — Okta On-Premises Provisioning Agent 6.8 Medium2025-07-22
CVE-2025-52580 Gift Pad region PAY 日志信息泄露漏洞 — "region PAY" App for Android 6.5 -2025-07-22
CVE-2025-54319 Westermo WeOS 日志信息泄露漏洞 — WeOS 6.3 Medium2025-07-20
CVE-2025-6391 JSON Web Token (JWT) Exposure in Log Files — Brocade ASCG 8.1AIHighAI2025-07-17
CVE-2025-54064 rucio-server, rucio-ui, and rucio-webui vulnerable to insertion of X-Rucio-Auth-Token in apache access logfiles — helm-charts 7.5AIHighAI2025-07-17
CVE-2025-30483 Dell ECS和Dell ObjectScale 日志信息泄露漏洞 — ECS 5.5 Medium2025-07-15
CVE-2025-53885 Directus doesn't redact sensitive user data when logging via event hooks — directus 4.2 Medium2025-07-14
CVE-2025-6392 Daily Data Dump Collector logs database password in cleartext when running docker exec commands (CVE-2025-6392) — Brocade SANnav 6.2AIMediumAI2025-07-10
CVE-2025-36599 Dell PowerFlex Manager VM 日志信息泄露漏洞 — PowerFlex Manager VM 4.3 Medium2025-07-09
CVE-2025-5464 Ivanti Connect Secure 日志信息泄露漏洞 — Connect Secure 6.5 Medium2025-07-08
CVE-2025-5463 Ivanti Connect Secure 日志信息泄露漏洞 — Connect Secure 5.5 Medium2025-07-08
CVE-2025-6711 Incomplete Redaction of Sensitive Information in MongoDB Server Logs — MongoDB Server 4.4 Medium2025-07-07
CVE-2024-9453 Jenkins-image: sensitive data disclosure when using openshift jenkins image — openshift-sync-plugin 6.5 Medium2025-07-04
CVE-2025-6587 Exposure of system environment variables in Docker Desktop diagnostic logs — Docker Desktop 6.5AIMediumAI2025-07-03
CVE-2025-6624 Snyk CLI 安全漏洞 — snyk 7.2 High2025-06-26
CVE-2025-52893 OpenBao May Leak Sensitive Information in Logs When Processing Malformed Data — openbao 4.5 Medium2025-06-25
CVE-2024-7586 Insertion of Sensitive Information into Log File in GitLab — GitLab 4.1 Medium2025-06-20
CVE-2025-36050 IBM QRadar SIEM information disclosure — QRadar SIEM 6.2 Medium2025-06-19
CVE-2025-50200 RabbitMQ Node can log Basic Auth header from an HTTP request — rabbitmq-server 6.8AIMediumAI2025-06-19
CVE-2025-2327 FlashArray KEK Logging Vulnerability — FlashArray 7.5AIHighAI2025-06-16

Vulnerabilities classified as CWE-532 (通过日志文件的信息暴露) represent 604 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.