The product writes sensitive information to a log file.
View on MITRELogging sensitive user data, full path names, or system information often provides attackers with an additional, less-protected path to acquiring the information.
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Remove debug log files before deploying the application into production.
Protect log files against unauthorized read/write.
Adjust configurations appropriately when software is transitioned from a debug state to production.
No detection method information available for this CWE.
In the following code snippet, a user's full name and credit card number are written to a log file.
This code stores location information about the current user:
When the application encounters an exception it will write the user object to the log. Because the user object contains location information, the user's location is also written to the log.
In the example below, the method getUserBankAccount retrieves a bank account object from a database using the supplied username and account number to query the database. If an SQLException is raised when querying the database, an error message is created and output to a log file.
The error message that is created includes information about the database query that may contain sensitive information about the database or query logic. In this case, the error message will expose the table name and column names used in the database. This data could be used to simplify other attacks, such as SQL injection (CWE-89) to directly access the database.
No relationship information available for this CWE.
CWE-532: Insertion of Sensitive Information into Log File is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product writes sensitive information to a log file.
If exploited, CWE-532 (Insertion of Sensitive Information into Log File) it can compromise Confidentiality, leading to outcomes such as Read Application Data.
Recommended mitigations for CWE-532 include: Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files. Remove debug log files before deploying the application into production. Protect log files against unauthorized read/write.
MITRE documents real CVEs mapped to CWE-532, including CVE-2017-9615 and CVE-2018-1999036. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-532 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.