CWE-532: Insertion of Sensitive Information into Log File

CWE-532: Insertion of Sensitive Information into Log File | RadicalNotion.AI

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

In the following code snippet, a user's full name and credit card number are written to a log file.

Vulnerable example

java

logger.info("Username: " + usernme + ", CCN: " + ccn);

This code stores location information about the current user:

Vulnerable example

java

...
locationClient = new LocationClient(this, this, this);

When the application encounters an exception it will write the user object to the log. Because the user object contains location information, the user's location is also written to the log.

In the example below, the method getUserBankAccount retrieves a bank account object from a database using the supplied username and account number to query the database. If an SQLException is raised when querying the database, an error message is created and output to a log file.

Vulnerable example

java

public BankAccount getUserBankAccount(String username, String accountNumber) {

The error message that is created includes information about the database query that may contain sensitive information about the database or query logic. In this case, the error message will expose the table name and column names used in the database. This data could be used to simplify other attacks, such as SQL injection (CWE-89) to directly access the database.

CWE-532: Insertion of Sensitive Information into Log File

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-532?

What CVEs are caused by CWE-532?

How do you prevent CWE-532?

How is CWE-532 detected?

What are the consequences of CWE-532?

Is CWE-532 actively exploited?

References

Stay ahead of CWE-532

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-532?

What CVEs are caused by CWE-532?

How do you prevent CWE-532?

How is CWE-532 detected?

What are the consequences of CWE-532?

Is CWE-532 actively exploited?

References

Stay ahead of CWE-532