Sensitive Information Uncleared Before Release |
Weakness ID: 226 (Weakness Base) | Status: Draft |
Description Summary
Extended Description
This typically results from new data that is not as long as the old data, which leaves portions of the old data still available. Equivalent errors can occur in other situations where the length of data is variable but the associated data structure is not. Failing to clear memory when finished may allow unintended actors to read the data when the memory is reallocated.
Reference | Description |
---|---|
CVE-2003-0001 | Ethernet NIC drivers do not pad frames with null bytes, leading to infoleak from malformed packets. |
CVE-2003-0291 | router does not clear information from DHCP packets that have been previously used |
CVE-2005-1406 | Products do not fully clear memory buffers when less data is stored into the buffer than previous. |
CVE-2005-1858 | Products do not fully clear memory buffers when less data is stored into the buffer than previous. |
CVE-2005-3180 | Products do not fully clear memory buffers when less data is stored into the buffer than previous. |
CVE-2005-3276 | Product does not clear a data structure before writing to part of it, yielding information leak of previously used memory. |
CVE-2002-2077 | Memory not properly cleared before reuse. |
Ordinality | Description |
---|---|
Resultant | (where the weakness is typically related to the presence of some other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 200 | Information Exposure | Development Concepts (primary)699 Research Concepts1000 |
ChildOf | Weakness Base | 459 | Incomplete Cleanup | Research Concepts (primary)1000 |
ChildOf | Category | 633 | Weaknesses that Affect Memory | Resource-specific Weaknesses (primary)631 |
ChildOf | Category | 729 | OWASP Top Ten 2004 Category A8 - Insecure Storage | Weaknesses in OWASP Top Ten (2004) (primary)711 |
ChildOf | Category | 742 | CERT C Secure Coding Section 08 - Memory Management (MEM) | Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734 |
CanAlsoBe | Weakness Base | 212 | Improper Cross-boundary Removal of Sensitive Data | Research Concepts1000 |
CanAlsoBe | Category | 310 | Cryptographic Issues | Research Concepts1000 |
ParentOf | Weakness Variant | 244 | Failure to Clear Heap Memory Before Release ('Heap Inspection') | Research Concepts (primary)1000 |
There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000). |
Currently frequently found for network packets, but it can also exist in local memory allocation, files, etc. |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Sensitive Information Uncleared Before Use | ||
CERT C Secure Coding | MEM03-C | Clear sensitive information stored in reusable resources returned for reuse |
This entry needs modification to clarify the differences with CWE-212. The description also combines two problems that are distinct from the CWE research perspective - the inadvertent transfer of information to another sphere, and improper initialization/shutdown. Some of the associated taxonomy mappings reflect these different uses. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Other Notes, Relationship Notes, Taxonomy Mappings, Weakness Ordinalities | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2008-11-24 | CWE Content Team | MITRE | Internal | |
updated Relationships, Taxonomy Mappings | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Description, Other Notes | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | Sensitive Information Uncleared Before Use | |||