Category: Comprehensive Categorization: Sensitive Information Exposure
Incomplete
Summary
Weaknesses in this category are related to sensitive information exposure.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1254 | Incorrect Comparison Logic Granularity | The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes. |
| CWE-1255 | Comparison Logic is Vulnerable to Power Side-Channel Attacks | A device's real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the reference token. |
| CWE-1273 | Device Unlock Credential Sharing | The credentials necessary for unlocking a device are shared across multiple parties and may expose sensitive information. |
| CWE-1295 | Debug Messages Revealing Unnecessary Information | The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages. |
| CWE-1300 | Improper Protection of Physical Side Channels | The device does not contain sufficient protection mechanisms to prevent physical side channels from exposing sensitive information due to patterns in physically observable phenomena such as variations in power consumption, electromagnetic emissions (EME), or acoustic emissions. |
| CWE-1431 | Driving Intermediate Cryptographic State/Results to Hardware Module Outputs | The product uses a hardware module implementing a cryptographic algorithm that writes sensitive information about the intermediate state or results of its cryptographic operations via one of its output wires (typically the output port containing the final result). |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-201 | Insertion of Sensitive Information Into Sent Data | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
| CWE-203 | Observable Discrepancy | The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
| CWE-204 | Observable Response Discrepancy | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
| CWE-205 | Observable Behavioral Discrepancy | The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality. |
| CWE-206 | Observable Internal Behavioral Discrepancy | The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points. |
| CWE-207 | Observable Behavioral Discrepancy With Equivalent Products | The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker. |
| CWE-208 | Observable Timing Discrepancy | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
| CWE-209 | Generation of Error Message Containing Sensitive Information | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
| CWE-210 | Self-generated Error Message Containing Sensitive Information | The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information. |
| CWE-211 | Externally-Generated Error Message Containing Sensitive Information | The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information. |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed. |
| CWE-214 | Invocation of Process Using Visible Sensitive Information | A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system. |
| CWE-215 | Insertion of Sensitive Information Into Debugging Code | The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production. |
| CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
| CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. |
| CWE-526 | Cleartext Storage of Sensitive Information in an Environment Variable | The product uses an environment variable to store unencrypted sensitive information. |
| CWE-531 | Inclusion of Sensitive Information in Test Code | Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions. |
| CWE-532 | Insertion of Sensitive Information into Log File | The product writes sensitive information to a log file. |
| CWE-535 | Exposure of Information Through Shell Error Message | A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system. |
| CWE-536 | Servlet Runtime Error Message Containing Sensitive Information | A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker. |
| CWE-537 | Java Runtime Error Message Containing Sensitive Information | In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system. |
| CWE-538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. |
| CWE-540 | Inclusion of Sensitive Information in Source Code | Source code on a web server or repository often contains sensitive information and should generally not be accessible to users. |
| CWE-541 | Inclusion of Sensitive Information in an Include File | If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system. |
| CWE-548 | Exposure of Information Through Directory Listing | The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory. |
| CWE-550 | Server-generated Error Message Containing Sensitive Information | Certain conditions, such as network failure, will cause a server error message to be displayed. |
| CWE-598 | Use of GET Request Method With Sensitive Query Strings | The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. |
| CWE-615 | Inclusion of Sensitive Information in Source Code Comments | While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc. |
| CWE-651 | Exposure of WSDL File Containing Sensitive Information | The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return). |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.