Category: SFP Secondary Cluster: Exposed Data
Incomplete
Summary
This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).
Membership
| ID | Name | Description |
|---|---|---|
| CWE-11 | ASP.NET Misconfiguration: Creating Debug Binary | Debugging messages help attackers learn about the system and plan a form of attack. |
| CWE-117 | Improper Output Neutralization for Logs | The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file. |
| CWE-12 | ASP.NET Misconfiguration: Missing Custom Error Page | An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses. |
| CWE-13 | ASP.NET Misconfiguration: Password in Configuration File | Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers. |
| CWE-14 | Compiler Removal of Code to Clear Buffers | Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal." |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-201 | Insertion of Sensitive Information Into Sent Data | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
| CWE-209 | Generation of Error Message Containing Sensitive Information | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
| CWE-210 | Self-generated Error Message Containing Sensitive Information | The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information. |
| CWE-211 | Externally-Generated Error Message Containing Sensitive Information | The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information. |
| CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer | The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors. |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed. |
| CWE-214 | Invocation of Process Using Visible Sensitive Information | A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system. |
| CWE-215 | Insertion of Sensitive Information Into Debugging Code | The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production. |
| CWE-219 | Storage of File with Sensitive Data Under Web Root | The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties. |
| CWE-220 | Storage of File With Sensitive Data Under FTP Root | The product stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties. |
| CWE-226 | Sensitive Information in Resource Not Removed Before Reuse | The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities. |
| CWE-244 | Improper Clearing of Heap Memory Before Release ('Heap Inspection') | Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory. |
| CWE-256 | Plaintext Storage of a Password | The product stores a password in plaintext within resources such as memory or files. |
| CWE-257 | Storing Passwords in a Recoverable Format | The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts. |
| CWE-260 | Password in Configuration File | The product stores a password in a configuration file that might be accessible to actors who do not know the password. |
| CWE-311 | Missing Encryption of Sensitive Data | The product does not encrypt sensitive or critical information before storage or transmission. |
| CWE-312 | Cleartext Storage of Sensitive Information | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
| CWE-313 | Cleartext Storage in a File or on Disk | The product stores sensitive information in cleartext in a file, or on disk. |
| CWE-314 | Cleartext Storage in the Registry | The product stores sensitive information in cleartext in the registry. |
| CWE-315 | Cleartext Storage of Sensitive Information in a Cookie | The product stores sensitive information in cleartext in a cookie. |
| CWE-316 | Cleartext Storage of Sensitive Information in Memory | The product stores sensitive information in cleartext in memory. |
| CWE-317 | Cleartext Storage of Sensitive Information in GUI | The product stores sensitive information in cleartext within the GUI. |
| CWE-318 | Cleartext Storage of Sensitive Information in Executable | The product stores sensitive information in cleartext in an executable. |
| CWE-319 | Cleartext Transmission of Sensitive Information | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
| CWE-374 | Passing Mutable Objects to an Untrusted Method | The product sends non-cloned mutable data as an argument to a method or function. |
| CWE-375 | Returning a Mutable Object to an Untrusted Caller | Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function. |
| CWE-402 | Transmission of Private Resources into a New Sphere ('Resource Leak') | The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product. |
| CWE-403 | Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') | A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors. |
| CWE-433 | Unparsed Raw Web Content Delivery | The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server. |
| CWE-495 | Private Data Structure Returned From A Public Method | The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways. |
| CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. |
| CWE-498 | Cloneable Class Containing Sensitive Information | The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class. |
| CWE-499 | Serializable Class Containing Sensitive Data | The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class. |
| CWE-5 | J2EE Misconfiguration: Data Transmission Without Encryption | Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted. |
| CWE-501 | Trust Boundary Violation | The product mixes trusted and untrusted data in the same data structure or structured message. |
| CWE-522 | Insufficiently Protected Credentials | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
| CWE-523 | Unprotected Transport of Credentials | Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server. |
| CWE-526 | Cleartext Storage of Sensitive Information in an Environment Variable | The product uses an environment variable to store unencrypted sensitive information. |
| CWE-527 | Exposure of Version-Control Repository to an Unauthorized Control Sphere | The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors. |
| CWE-528 | Exposure of Core Dump File to an Unauthorized Control Sphere | The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors. |
| CWE-529 | Exposure of Access Control List Files to an Unauthorized Control Sphere | The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere. |
| CWE-530 | Exposure of Backup File to an Unauthorized Control Sphere | A backup file is stored in a directory or archive that is made accessible to unauthorized actors. |
| CWE-532 | Insertion of Sensitive Information into Log File | The product writes sensitive information to a log file. |
| CWE-535 | Exposure of Information Through Shell Error Message | A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system. |
| CWE-536 | Servlet Runtime Error Message Containing Sensitive Information | A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker. |
| CWE-537 | Java Runtime Error Message Containing Sensitive Information | In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system. |
| CWE-538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. |
| CWE-539 | Use of Persistent Cookies Containing Sensitive Information | The web application uses persistent cookies, but the cookies contain sensitive information. |
| CWE-540 | Inclusion of Sensitive Information in Source Code | Source code on a web server or repository often contains sensitive information and should generally not be accessible to users. |
| CWE-541 | Inclusion of Sensitive Information in an Include File | If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system. |
| CWE-546 | Suspicious Comment | The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses. |
| CWE-548 | Exposure of Information Through Directory Listing | The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory. |
| CWE-550 | Server-generated Error Message Containing Sensitive Information | Certain conditions, such as network failure, will cause a server error message to be displayed. |
| CWE-552 | Files or Directories Accessible to External Parties | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
| CWE-555 | J2EE Misconfiguration: Plaintext Password in Configuration File | The J2EE application stores a plaintext password in a configuration file. |
| CWE-591 | Sensitive Data Storage in Improperly Locked Memory | The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors. |
| CWE-598 | Use of GET Request Method With Sensitive Query Strings | The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. |
| CWE-607 | Public Static Final Field References Mutable Object | A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package. |
| CWE-612 | Improper Authorization of Index Containing Sensitive Information | The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information. |
| CWE-615 | Inclusion of Sensitive Information in Source Code Comments | While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc. |
| CWE-642 | External Control of Critical State Data | The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors. |
| CWE-668 | Exposure of Resource to Wrong Sphere | The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. |
| CWE-669 | Incorrect Resource Transfer Between Spheres | The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. |
| CWE-7 | J2EE Misconfiguration: Missing Custom Error Page | The default error page of a web application should not display sensitive information about the product. |
| CWE-756 | Missing Custom Error Page | The product does not return custom error pages to the user, possibly exposing sensitive information. |
| CWE-767 | Access to Critical Private Variable via Public Method | The product defines a public method that reads or modifies a private variable. |
| CWE-8 | J2EE Misconfiguration: Entity Bean Declared Remote | When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities. |
| CWE-888 | Software Fault Pattern (SFP) Clusters | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.