Category: SFP Secondary Cluster: State Disclosure
Incomplete
Summary
This category identifies Software Fault Patterns (SFPs) within the State Disclosure cluster.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-202 | Exposure of Sensitive Information Through Data Queries | When trying to keep information confidential, an attacker can often infer some of the information by using statistics. |
| CWE-203 | Observable Discrepancy | The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
| CWE-204 | Observable Response Discrepancy | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
| CWE-205 | Observable Behavioral Discrepancy | The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality. |
| CWE-206 | Observable Internal Behavioral Discrepancy | The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points. |
| CWE-207 | Observable Behavioral Discrepancy With Equivalent Products | The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker. |
| CWE-208 | Observable Timing Discrepancy | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
| CWE-888 | Software Fault Pattern (SFP) Clusters | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.