Leakage of Information in Logger Message

Overview

• Rule ID: java_lang_logger_leak

• Applicable Languages: Java

• Weakness ID: CWE-532

Description

Information leakage through logger messages can compromise sensitive data. This vulnerability arises when dynamic data or variables, which may contain sensitive information, are included in log messages.

Remediation Guidelines

• Do not include variables or dynamic data containing sensitive information in logger messages. This can inadvertently expose sensitive data in logs, which are often not adequately protected.

  Copy

  logger.info("user signed in: " + user.uuid) // unsafe
  

• Instead, Do log static messages that do not contain dynamic variables or attributes. This minimizes the risk of accidentally logging sensitive information.

  Copy

  logger.info("user signed in")

References

• OWASP Logging Cheat Sheet

• CWE-532: Insertion of Sensitive Information into Log File

• OWASP Top 10: A09:2021 - Security Logging and Monitoring Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL