Leakage of Information in Logger Message

Overview

Rule ID: java_lang_logger_leak
Applicable Languages: Java
Weakness ID: CWE-532

Description

Information leakage through logger messages can compromise sensitive data. This vulnerability arises when dynamic data or variables, which may contain sensitive information, are included in log messages.

Remediation Guidelines

Do not include variables or dynamic data containing sensitive information in logger messages. This can inadvertently expose sensitive data in logs, which are often not adequately protected.
```
logger.info("user signed in: " + user.uuid) // unsafe
```
Instead, Do log static messages that do not contain dynamic variables or attributes. This minimizes the risk of accidentally logging sensitive information.
```
logger.info("user signed in")
```

References

Configuration

PreviousGIT Leaks NextLeakage of sensitive data in cookie

Last updated 8 months ago