CWE · MITRE source
CWE-532Insertion of Sensitive Information into Log File
The product writes sensitive information to a log file.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 6 mapping(s) from 3 framework(s): ATT&CK 4 (mostly) · OWASP-Web 1 (mostly) · CAPEC 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A09:2025 Security Logging and Alerting Failures.
NIST 800-53 r5 controls that address this weakness (9)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AU-1 | Policy and Procedures | AU | Procedures mandate excluding sensitive data from logs to prevent unauthorized exposure via audit records. |
AU-13 | Monitoring for Information Disclosure | AU | Identifies insertion of sensitive data into logs, allowing detection of unauthorized disclosure. |
AU-16 | Cross-organizational Audit Logging | AU | Cross-organizational coordination enables agreement on what data to include in audit logs, directly reducing insertion of sensitive information. |
CM-13 | Data Action Mapping | CM | Identifying logging as a data action allows prevention of sensitive information being inserted into log files. |
IR-9 | Information Spillage Response | IR | The process of identifying and eradicating spilled information applies directly to sensitive data inserted into log files. |
PT-7 | Specific Categories of Personally Identifiable Information | PT | Specific processing rules for sensitive PII categories commonly include restrictions on logging, making insertion of such data into log files less likely. |
RA-8 | Privacy Impact Assessments | RA | PIAs detect planned or existing logging of PII and require removal or protection, preventing insertion of sensitive information into logs. |
SC-38 | Operations Security | SC | Limits insertion of sensitive operational details into logs by treating such data as key information requiring protection. |
SI-15 | Information Output Filtering | SI | Checking application output against expected content catches insertion of sensitive values into log streams or files. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2023-21492 KEV | 10.0 | 4.4 | 0.0255 | 2023-05-04 |
CVE-2025-24984 KEV | 10.0 | 4.6 | 0.0183 | 2025-03-11 |
CVE-2019-1622 | 8.0 | 5.3 | 0.7886 | 2019-06-27 |
CVE-2020-35234 | 8.0 | 7.5 | 0.6341 | 2020-12-14 |
CVE-2023-43261 | 8.0 | 7.5 | 0.6011 | 2023-10-04 |
CVE-2024-20440 | 8.0 | 7.5 | 0.5147 | 2024-09-04 |
CVE-2016-8233 | 7.0 | 9.8 | 0.0114 | 2017-03-01 |
CVE-2017-7214 | 7.0 | 9.8 | 0.0228 | 2017-03-21 |
CVE-2017-8074 | 7.0 | 9.8 | 0.0194 | 2017-04-23 |
CVE-2017-8075 | 7.0 | 9.8 | 0.0179 | 2017-04-23 |
CVE-2017-4955 | 7.0 | 9.8 | 0.0141 | 2017-06-13 |
CVE-2017-9615 | 7.0 | 9.8 | 0.0140 | 2017-06-26 |
CVE-2017-6709 | 7.0 | 9.8 | 0.0129 | 2017-07-06 |
CVE-2017-6165 | 7.0 | 9.8 | 0.0192 | 2017-10-20 |
CVE-2017-15366 | 7.0 | 9.8 | 0.0141 | 2017-10-26 |
CVE-2017-1000171 | 7.0 | 9.8 | 0.0138 | 2017-11-03 |
CVE-2017-7550 | 7.0 | 9.8 | 0.0353 | 2017-11-21 |
CVE-2018-1000060 | 7.0 | 9.8 | 0.0240 | 2018-02-09 |
CVE-2018-1000123 | 7.0 | 9.8 | 0.0148 | 2018-03-13 |
CVE-2016-0898 | 7.0 | 10.0 | 0.0141 | 2018-03-29 |
CVE-2018-11320 | 7.0 | 9.8 | 0.0138 | 2018-05-21 |
CVE-2018-0042 | 7.0 | 9.8 | 0.0115 | 2018-07-11 |
CVE-2018-11716 | 7.0 | 9.8 | 0.1429 | 2018-07-16 |
CVE-2018-11717 | 7.0 | 9.8 | 0.0858 | 2018-07-16 |
CVE-2018-16049 | 7.0 | 9.8 | 0.0215 | 2018-10-03 |