Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-532 (通过日志文件的信息暴露) — Vulnerability Class 604

604 vulnerabilities classified as CWE-532 (通过日志文件的信息暴露). AI Chinese analysis included.

CWE-532 represents a critical information disclosure weakness where software inadvertently records sensitive data, such as passwords, credit card numbers, or personal identifiers, into log files. This vulnerability is typically exploited by attackers who gain access to these logs through insufficient file permissions, insecure storage practices, or compromised administrative accounts. Once accessed, the exposed data can be harvested for identity theft, financial fraud, or further system intrusion. To prevent this, developers must implement strict data sanitization protocols, ensuring that sensitive fields are masked or excluded before logging. Additionally, employing robust access controls and encryption for log storage, alongside regular audits of logging configurations, helps mitigate the risk of accidental exposure. By treating log files as potential repositories of confidential information, organizations can significantly reduce their attack surface and maintain compliance with data protection standards.

MITRE CWE Description
The product writes sensitive information to a log file.
Common Consequences (1)
ConfidentialityRead Application Data
Logging sensitive user data, full path names, or system information often provides attackers with an additional, less-protected path to acquiring the information.
Mitigations (4)
Architecture and Design, ImplementationConsider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
DistributionRemove debug log files before deploying the application into production.
OperationProtect log files against unauthorized read/write.
ImplementationAdjust configurations appropriately when software is transitioned from a debug state to production.
Examples (2)
In the following code snippet, a user's full name and credit card number are written to a log file.
logger.info("Username: " + usernme + ", CCN: " + ccn);
Bad · Java
This code stores location information about the current user:
locationClient = new LocationClient(this, this, this); locationClient.connect(); currentUser.setLocation(locationClient.getLastLocation()); ... catch (Exception e) { AlertDialog.Builder builder = new AlertDialog.Builder(this); builder.setMessage("Sorry, this application has experienced an error."); AlertDialog alert = builder.create(); alert.show(); Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString()); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-27496 Snowflake JDBC Driver client-side encryption key in DEBUG logs — snowflake-jdbc 3.3 Low2025-03-13
CVE-2025-2002 Schneider Electric EcoStruxure Panel Server 日志信息泄露漏洞 — EcoStruxure Panel Server 6.0 Medium2025-03-12
CVE-2025-24984 Windows NTFS Information Disclosure Vulnerability — Windows 10 Version 1507 4.6 Medium2025-03-11
CVE-2025-0071 Information Disclosure vulnerability in SAP Web Dispatcher and Internet Communication Manager — SAP Web Dispatcher and Internet Communication Manager 4.9 Medium2025-03-11
CVE-2025-1296 Nomad Exposes Sensitive Workload Identity and Client Secret Token in Audit Logs — Nomad 6.5 Medium2025-03-10
CVE-2025-1696 Exposure of Proxy Credentials in Docker Desktop Logs — Docker Desktop 4.3 -2025-03-06
CVE-2025-1979 ray 日志信息泄露漏洞 — ray 6.4 Medium2025-03-06
CVE-2024-45674 IBM Security Verify Bridge information disclosure — Security Verify Bridge Directory Sync 3.3 Low2025-02-21
CVE-2024-13818 Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction <= 3.8.4 - Sensitive Information Exposure via Log Files — Pie Register – User Registration, Profiles & Content Restriction 5.3 Medium2025-02-21
CVE-2025-1075 LDAP credentials logged to Apache error log — Checkmk 4.9 -2025-02-19
CVE-2025-1053 Brocade SANnav encryption key is logged in the debug logs — Brocade SANnav 4.4 -2025-02-14
CVE-2024-13416 2N OS 安全漏洞 — 2N OS 4.3 Medium2025-02-06
CVE-2025-23413 BIG-IP Next Central Manager vulnerability — BIG-IP Next Central Manager 4.4 Medium2025-02-05
CVE-2025-24556 WordPress MooWoodle plugin <= 3.2.4 - Sensitive Data Exposure vulnerability — MooWoodle 7.5 High2025-02-03
CVE-2025-23374 Dell Networking Switches running Enterprise SONiC 日志信息泄露漏洞 — Enterprise SONiC OS 8.0 High2025-01-30
CVE-2024-48852 Information disclosures — FLXEON 9.4 Critical2025-01-29
CVE-2025-0736 Org.infinispan-infinispan-parent: exposure of sensitive information in application logs 5.5 Medium2025-01-28
CVE-2025-24389 SMTP Password will be shown in cleartext on some SMTP errors — OTRS 6.3 Medium2025-01-27
CVE-2023-38271 IBM Cloud Pak System information disclosure — Cloud Pak System 4.3 Medium2025-01-25
CVE-2025-24362 CodeQL GitHub Action failed workflow writes GitHub PAT to debug artifacts — codeql-action 6.5 -2025-01-24
CVE-2025-24034 Himmelblau leaks credentials in the debug log — himmelblau 3.2 Low2025-01-23
CVE-2025-24457 JetBrains YouTrack 日志信息泄露漏洞 — YouTrack 5.5 Medium2025-01-21
CVE-2024-45091 IBM UrbanCode Deploy information disclosure — UrbanCode Deploy 6.2 Medium2025-01-21
CVE-2024-11923 Sensitive Information Disclosure in Fortra Application Hub Prior to version 1.3 — Fortra Application Hub 5.5 Medium2025-01-17
CVE-2024-12226 Octopus Kubernetes 安全漏洞 — Kubernetes Worker or Kubernetes Agent 6.5 Medium2025-01-16
CVE-2024-55891 Information Disclosure via Exception Handling/Logger in TYPO3 — typo3 3.1 Low2025-01-14
CVE-2025-21323 Windows Kernel Memory Information Disclosure Vulnerability — Windows 10 Version 1507 5.5 Medium2025-01-14
CVE-2025-21317 Windows Kernel Memory Information Disclosure Vulnerability — Windows 10 Version 21H2 5.5 Medium2025-01-14
CVE-2025-21321 Windows Kernel Memory Information Disclosure Vulnerability — Windows 10 Version 1507 5.5 Medium2025-01-14
CVE-2025-21320 Windows Kernel Memory Information Disclosure Vulnerability — Windows 10 Version 1507 5.5 Medium2025-01-14

Vulnerabilities classified as CWE-532 (通过日志文件的信息暴露) represent 604 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.