Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-532 (通过日志文件的信息暴露) — Vulnerability Class 604

604 vulnerabilities classified as CWE-532 (通过日志文件的信息暴露). AI Chinese analysis included.

CWE-532 represents a critical information disclosure weakness where software inadvertently records sensitive data, such as passwords, credit card numbers, or personal identifiers, into log files. This vulnerability is typically exploited by attackers who gain access to these logs through insufficient file permissions, insecure storage practices, or compromised administrative accounts. Once accessed, the exposed data can be harvested for identity theft, financial fraud, or further system intrusion. To prevent this, developers must implement strict data sanitization protocols, ensuring that sensitive fields are masked or excluded before logging. Additionally, employing robust access controls and encryption for log storage, alongside regular audits of logging configurations, helps mitigate the risk of accidental exposure. By treating log files as potential repositories of confidential information, organizations can significantly reduce their attack surface and maintain compliance with data protection standards.

MITRE CWE Description
The product writes sensitive information to a log file.
Common Consequences (1)
ConfidentialityRead Application Data
Logging sensitive user data, full path names, or system information often provides attackers with an additional, less-protected path to acquiring the information.
Mitigations (4)
Architecture and Design, ImplementationConsider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
DistributionRemove debug log files before deploying the application into production.
OperationProtect log files against unauthorized read/write.
ImplementationAdjust configurations appropriately when software is transitioned from a debug state to production.
Examples (2)
In the following code snippet, a user's full name and credit card number are written to a log file.
logger.info("Username: " + usernme + ", CCN: " + ccn);
Bad · Java
This code stores location information about the current user:
locationClient = new LocationClient(this, this, this); locationClient.connect(); currentUser.setLocation(locationClient.getLastLocation()); ... catch (Exception e) { AlertDialog.Builder builder = new AlertDialog.Builder(this); builder.setMessage("Sorry, this application has experienced an error."); AlertDialog alert = builder.create(); alert.show(); Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString()); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-8609 Improper Access Control in Oceanic Software's ValeApp — ValeApp 7.5AIHighAI2024-09-27
CVE-2023-46175 IBM Cloud Pak for Multicloud Management information disclosure — Cloud Pak for Multicloud Management 4.4 Medium2024-09-26
CVE-2022-49037 Synology Drive 日志信息泄露漏洞 — Synology Drive Client 6.5 Medium2024-09-26
CVE-2024-7421 Devolutions Remote Desktop Manager 安全漏洞 — Remote Desktop Manager 7.1AIHighAI2024-09-25
CVE-2024-43990 WordPress Masterstudy LMS Starter theme <= 1.1.8 - Sensitive Data Exposure vulnerability — Masterstudy LMS Starter 5.3 Medium2024-09-25
CVE-2024-8775 Ansible-core: exposure of sensitive information in ansible vault files due to improper logging 5.5 Medium2024-09-14
CVE-2024-4472 Insertion of Sensitive Information into Log File in GitLab — GitLab 4.0 Medium2024-09-12
CVE-2021-22518 Sensitive Information logging in NetIQ Identity Manager Driver — Identity Manager AzureAD Driver 5.8 Medium2024-09-12
CVE-2021-22533 Possible Insertion of Sensitive Information into Log File Vulnerability — eDirectory 6.5 Medium2024-09-12
CVE-2022-26322 Possible Insertion of Sensitive Information into Log File Vulnerability in Identity Manager — Identity Manager REST Driver 1.1.2.0200 4.9 Medium2024-09-12
CVE-2024-43781 Siemens SINUMERIK 日志信息泄露漏洞 — SINUMERIK 828D V4 5.5 Medium2024-09-10
CVE-2024-42344 Siemens SINEMA Remote Connect 日志信息泄露漏洞 — SINEMA Remote Connect Client 4.4 Medium2024-09-10
CVE-2024-20440 Cisco Smart Licensing Utility 安全漏洞 — Cisco Smart License Utility 7.5 High2024-09-04
CVE-2024-8365 Vault Leaks AppRole Client Tokens And Accessor in Audit Log — Vault 6.2 Medium2024-09-02
CVE-2024-43444 Passwords are written to Admin Log Module — OTRS 8.2 High2024-08-26
CVE-2024-41719 BIG-IP Next Central Manager vulnerability — BIG-IP Next Central Manager 4.2 Medium2024-08-14
CVE-2024-41978 Siemens多款产品 日志信息泄露漏洞 — RUGGEDCOM RM1224 LTE(4G) EU 6.5 Medium2024-08-13
CVE-2024-37930 WordPress SmartMag theme < 10.1.0 - Sensitive Data Exposure via Log File vulnerability — SmartMag 5.3 Medium2024-08-12
CVE-2024-37283 Elastic Agent Insertion of Sensitive Information into Log File — Elastic Agent 7.5AIHighAI2024-08-08
CVE-2024-37286 APM Server Insertion of Sensitive Information into Log File — APM Server 5.7 Medium2024-08-03
CVE-2024-38321 IBM Business Automation Workflow information disclosure — Business Automation Workflow 5.3 Medium2024-08-03
CVE-2024-42349 FOG has a Log Information Disclosure — fogproject 5.3 Medium2024-08-02
CVE-2024-6977 Cato Networks Windows SDP Client Sensitive data in trace logs can lead to account takeover — SDP Client 6.5 Medium2024-07-31
CVE-2023-49921 Elasticsearch 安全漏洞 — Elasticsearch 5.2 Medium2024-07-26
CVE-2024-41178 Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files — Apache Arrow Rust Object Store 8.1AIHighAI2024-07-23
CVE-2024-41824 JetBrains TeamCity 安全漏洞 — TeamCity 6.4 Medium2024-07-22
CVE-2024-41129 The ops library leaks secrets if `subprocess.CalledProcessError` happens with a `secret-*` CLI command — operator 4.4 Medium2024-07-22
CVE-2024-0006 DB User Password Leak in Application Log — YugabyteDB Anywhere 7.1 -2024-07-19
CVE-2024-40636 Basic Auth Credential Leakage to Logs After Fetch Registry Error in Steeltoe.Discovery.Eureka with Peer Awareness — security-advisories 5.3 Medium2024-07-17
CVE-2024-39532 Junos OS and Junos OS Evolved: Confidential information in logs can be accessed by another user — Junos OS 6.3 Medium2024-07-11

Vulnerabilities classified as CWE-532 (通过日志文件的信息暴露) represent 604 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.