Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. 1000 699 Weakness ChildOf 538 1000 699 Weakness ChildOf 552 711 Category ChildOf 731 844 Category ChildOf 857 888 Category ChildOf 895 Architecture and Design Implementation Operation Medium Confidentiality Read application data Logging sensitive user data often provides attackers with an additional, less-protected path to acquiring the information. Architecture and Design Implementation Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files. Operation Protect log files against unauthorized read/write. Implementation Adjust configurations appropriately when software is transitioned from a debug state to production. In the following code snippet, a user's full name and credit card number are written to a log file. Java logger.info("Username: " + usernme + ", CCN: " + ccn); Do not log sensitive information outside a trust boundary FIO13-J 215 Anonymous Tool Vendor (under NDA) Fortify Software 2009-07-15 Portions of Mitigations, Consequences and Description derived from content submitted by Fortify Software. Sean Eidemiller Cigital 2008-07-01 added/updated demonstrative examples Eric Dalci Cigital 2008-07-01 updated Potential_Mitigations, Time_of_Introduction CWE Content Team MITRE 2008-09-08 updated Relationships, Taxonomy_Mappings CWE Content Team MITRE 2009-03-10 updated Relationships CWE Content Team MITRE 2009-07-27 updated Common_Consequences, Description, Likelihood_of_Exploit, Potential_Mitigations CWE Content Team MITRE 2011-03-29 updated Name CWE Content Team MITRE 2011-06-01 updated Common_Consequences, Relationships, Taxonomy_Mappings CWE Content Team MITRE 2012-05-11 updated Related_Attack_Patterns, Relationships, Taxonomy_Mappings Information Leak Through Log Files