Cyber Resilience

CWE · MITRE source

CWE-532Insertion of Sensitive Information into Log File

Abstraction: Base · CVEs in our corpus: 1,150

The product writes sensitive information to a log file.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 6 mapping(s) from 3 framework(s): ATT&CK 4 (mostly) · OWASP-Web 1 (mostly) · CAPEC 1 (partial)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A09:2025 Security Logging and Alerting Failures.

NIST 800-53 r5 controls that address this weakness (9)AI

Control Title Family Why it addresses this CWE
AU-1Policy and ProceduresAUProcedures mandate excluding sensitive data from logs to prevent unauthorized exposure via audit records.
AU-13Monitoring for Information DisclosureAUIdentifies insertion of sensitive data into logs, allowing detection of unauthorized disclosure.
AU-16Cross-organizational Audit LoggingAUCross-organizational coordination enables agreement on what data to include in audit logs, directly reducing insertion of sensitive information.
CM-13Data Action MappingCMIdentifying logging as a data action allows prevention of sensitive information being inserted into log files.
IR-9Information Spillage ResponseIRThe process of identifying and eradicating spilled information applies directly to sensitive data inserted into log files.
PT-7Specific Categories of Personally Identifiable InformationPTSpecific processing rules for sensitive PII categories commonly include restrictions on logging, making insertion of such data into log files less likely.
RA-8Privacy Impact AssessmentsRAPIAs detect planned or existing logging of PII and require removal or protection, preventing insertion of sensitive information into logs.
SC-38Operations SecuritySCLimits insertion of sensitive operational details into logs by treating such data as key information requiring protection.
SI-15Information Output FilteringSIChecking application output against expected content catches insertion of sensitive values into log streams or files.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2023-21492 KEV10.04.40.02552023-05-04
CVE-2025-24984 KEV10.04.60.01832025-03-11
CVE-2019-16228.05.30.78862019-06-27
CVE-2020-352348.07.50.63412020-12-14
CVE-2023-432618.07.50.60112023-10-04
CVE-2024-204408.07.50.51472024-09-04
CVE-2016-82337.09.80.01142017-03-01
CVE-2017-72147.09.80.02282017-03-21
CVE-2017-80747.09.80.01942017-04-23
CVE-2017-80757.09.80.01792017-04-23
CVE-2017-49557.09.80.01412017-06-13
CVE-2017-96157.09.80.01402017-06-26
CVE-2017-67097.09.80.01292017-07-06
CVE-2017-61657.09.80.01922017-10-20
CVE-2017-153667.09.80.01412017-10-26
CVE-2017-10001717.09.80.01382017-11-03
CVE-2017-75507.09.80.03532017-11-21
CVE-2018-10000607.09.80.02402018-02-09
CVE-2018-10001237.09.80.01482018-03-13
CVE-2016-08987.010.00.01412018-03-29
CVE-2018-113207.09.80.01382018-05-21
CVE-2018-00427.09.80.01152018-07-11
CVE-2018-117167.09.80.14292018-07-16
CVE-2018-117177.09.80.08582018-07-16
CVE-2018-160497.09.80.02152018-10-03