logo

Exposure of Sensitive Information Through Data Queries

Draft Base
Structure: Simple
Description

When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

Extended Description

In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.
Common Consequences 1
Scope: Confidentiality

Impact: Read Files or DirectoriesRead Application Data

Sensitive information may possibly be leaked through data queries accidentally.
Potential Mitigations 1
Phase: Architecture and Design
This is a complex topic. See the book Translucent Databases for a good discussion of best practices.
Demonstrative Examples 1
See the book Translucent Databases for examples.
Observed Examples 1
CVE-2022-41935Wiki product allows an adversary to discover filenames via a series of queries starting with one letter and then iteratively extending the match.
References 1
The CLASP Application Security Process
Secure Software, Inc.
2005
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)
ID: REF-18
Likelihood of Exploit

Medium

Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Related Weaknesses
ChildOf: Exposure of Sensitive Information Through Metadata (CWE-1230)
Taxonomy Mapping
  • CLASP
Notes
Maintenance The relationship between Exposure of Sensitive Information Through Data Queries and Improper Authorization of Index Containing Sensitive Information needs to be investigated more closely, as they may be different descriptions of the same kind of problem. Exposure of Sensitive Information Through Data Queries is also being considered for deprecation, as it is not clearly described and may have been misunderstood by CWE users. It could be argued that this issue is better covered by CAPEC; an attacker can utilize their data-query privileges to perform this kind of operation, and if the attacker should not be allowed to perform the operation - or if the sensitive data should not have been made accessible at all - then that is more appropriately classified as a separate CWE related to authorization (see the parent, Exposure of Sensitive Information Through Metadata).