Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-532 (通过日志文件的信息暴露) — Vulnerability Class 604

604 vulnerabilities classified as CWE-532 (通过日志文件的信息暴露). AI Chinese analysis included.

CWE-532 represents a critical information disclosure weakness where software inadvertently records sensitive data, such as passwords, credit card numbers, or personal identifiers, into log files. This vulnerability is typically exploited by attackers who gain access to these logs through insufficient file permissions, insecure storage practices, or compromised administrative accounts. Once accessed, the exposed data can be harvested for identity theft, financial fraud, or further system intrusion. To prevent this, developers must implement strict data sanitization protocols, ensuring that sensitive fields are masked or excluded before logging. Additionally, employing robust access controls and encryption for log storage, alongside regular audits of logging configurations, helps mitigate the risk of accidental exposure. By treating log files as potential repositories of confidential information, organizations can significantly reduce their attack surface and maintain compliance with data protection standards.

MITRE CWE Description
The product writes sensitive information to a log file.
Common Consequences (1)
ConfidentialityRead Application Data
Logging sensitive user data, full path names, or system information often provides attackers with an additional, less-protected path to acquiring the information.
Mitigations (4)
Architecture and Design, ImplementationConsider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
DistributionRemove debug log files before deploying the application into production.
OperationProtect log files against unauthorized read/write.
ImplementationAdjust configurations appropriately when software is transitioned from a debug state to production.
Examples (2)
In the following code snippet, a user's full name and credit card number are written to a log file.
logger.info("Username: " + usernme + ", CCN: " + ccn);
Bad · Java
This code stores location information about the current user:
locationClient = new LocationClient(this, this, this); locationClient.connect(); currentUser.setLocation(locationClient.getLastLocation()); ... catch (Exception e) { AlertDialog.Builder builder = new AlertDialog.Builder(this); builder.setMessage("Sorry, this application has experienced an error."); AlertDialog alert = builder.create(); alert.show(); Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString()); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-36573 Dell Smart Dock Firmware 日志信息泄露漏洞 — Smart Dock 7.1 High2025-06-12
CVE-2025-49009 Para Inserts Sensitive Information into Log File for Facebook authentication — para 6.2 Medium2025-06-05
CVE-2025-48493 Yii 2 Redis may expose AUTH paramters in logs in case of connection failure — yii2-redis 6.5AIMediumAI2025-06-05
CVE-2025-48955 Para Server Logs Sensitive Information — para 6.2 Medium2025-06-02
CVE-2025-46777 Fortinet FortiPortal 日志信息泄露漏洞 — FortiPortal 2.2 Low2025-05-28
CVE-2025-48374 zot logs secrets — zot 6.5AIMediumAI2025-05-22
CVE-2025-3911 Exposure in Docker Desktop logs of environment variables configured for running containers — Docker Desktop 5.5AIMediumAI2025-04-29
CVE-2025-46329 Snowflake Connector for C/C++ inserts client-side encryption key in DEBUG logs — libsnowflakeclient 3.3 Low2025-04-29
CVE-2025-46614 Snowflake ODBC Driver 安全漏洞 — Snowflake ODBC 3.3 Low2025-04-28
CVE-2025-46432 JetBrains TeamCity 日志信息泄露漏洞 — TeamCity 4.3 Medium2025-04-25
CVE-2025-2092 Remote site authentication secrets written to web log — Checkmk 7.5 -2025-04-22
CVE-2025-2300 Information exposure vulnerability in Hitachi Ops Center Common Services within Hitachi Ops Center OVA — Hitachi Ops Center Common Services 5.5 Medium2025-04-22
CVE-2025-24651 WordPress WebToffee WP Backup and Migration plugin <= 1.5.3 - Sensitive Data Exposure vulnerability — WordPress Backup & Migration 5.9 Medium2025-04-17
CVE-2025-32382 Snowflake credentials logged by the Metabase backend — metabase 8.1AIHighAI2025-04-10
CVE-2025-32016 Microsoft Identity Web Exposes Client Secrets and Certificate Information in Service Logs — microsoft-identity-web 4.7 Medium2025-04-09
CVE-2025-27391 Apache ActiveMQ Artemis: Passwords leaking from broker properties in the debug log — Apache ActiveMQ Artemis 7.5 -2025-04-09
CVE-2025-30677 Apache Pulsar IO Kafka Connector, Apache Pulsar IO Kafka Connect Adaptor: Sensitive information logged in Pulsar's Apache Kafka Connectors — Apache Pulsar IO Kafka Connector 8.1AIHighAI2025-04-09
CVE-2025-25013 Elastic Defend Insertion of Sensitive Information into Log Files — Elastic Defend 6.5 Medium2025-04-08
CVE-2025-25002 Azure Local Cluster Information Disclosure Vulnerability — Azure Local Cluster 6.8 Medium2025-04-08
CVE-2025-32054 JetBrains IntelliJ IDEA 日志信息泄露漏洞 — IntelliJ IDEA 3.3 Low2025-04-03
CVE-2025-31479 canonical/get-workflow-version-action can leak a partial GITHUB_TOKEN in exception output — get-workflow-version-action 8.2 High2025-04-02
CVE-2025-31788 WordPress AIO Performance Profiler, Monitor, Optimize, Compress & Debug plugin <= 1.3 - Sensitive Data Exposure vulnerability — AIO Performance Profiler, Monitor, Optimize, Compress & Debug 5.3 Medium2025-04-01
CVE-2024-7577 IBM InfoSphere Information Server information disclosure — InfoSphere Information Server 4.4 Medium2025-03-28
CVE-2025-1998 IBM UrbanCode Deploy (UCD) / IBM DevOps Deploy information disclosure — UrbanCode Deploy 5.5 Medium2025-03-27
CVE-2025-31139 JetBrains TeamCity 日志信息泄露漏洞 — TeamCity 4.3 Medium2025-03-27
CVE-2025-0273 HCL DevOps Deploy / HCL Launch is susceptible to Insertion of Sensitive Information into Log File vulnerability — HCL DevOps Deploy / HCL Launch 5.5 Medium2025-03-27
CVE-2025-20231 Sensitive Information Disclosure in Splunk Secure Gateway App — Splunk Enterprise 7.1 High2025-03-26
CVE-2025-30205 kanidm-provision leaks provisioned admin credentials into the system log — kanidm-provision 7.6 High2025-03-24
CVE-2025-0495 Secrets leakage to telemetry endpoint via cache backend configuration via buildx — buildx 6.5 -2025-03-17
CVE-2024-40585 Fortinet FortiManager和Fortinet FortiAnalyzer 日志信息泄露漏洞 — FortiAnalyzer 5.9 Medium2025-03-14

Vulnerabilities classified as CWE-532 (通过日志文件的信息暴露) represent 604 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.