...
| Wiki Markup |
|---|
While several instances of this anti-pattern can be found in the wild, one example is of the fix provided in the LineControl Java client. Prior to version 0.8.1, the client logged sensitive information such as the local user's password. \[[CVE 2008|AA. Java References#CVE 08]\]. |
Noncompliant Code Example
...
If the exception contains sensitive information, the custom MyExceptionReporter class should extract or cleanse it, before returning control to the next statement in the catch block. (See guideline EXC01-J. Use a class dedicated to reporting exceptions.)
Noncompliant Code Example
...
Logging sensitive information can break the security of the system and violate user privacy when the logging level is incorrect or when the files are not secured properly.
Rule Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
FIO08-J | medium | probable | high | P4 | L3 |
...