Information Exposure |
Weakness ID: 200 (Weakness Class) | Status: Incomplete |
Description Summary
Extended Description
The information either
(1) is regarded as sensitive within the product's own functionality, such as a private message; or
(2) provides information about the product or its environment that could be useful in an attack but is normally not available to the attacker, such as the installation path of a product that is remotely accessible.
Many information exposures are resultant (e.g. path disclosure in PHP script error), but they can also be primary (e.g. timing discrepancies in crypto). There are many different types of problems that involve information exposures. Their severity can range widely depending on the type of information that is revealed.
Information Disclosure: | This term is frequently used in vulnerability databases and other sources, however "disclosure" does not always have security implications. The phrase "information disclosure" is also used frequently in policies and legal documents, but do not refer to disclosure of security-relevant information. |
---|---|
Information Leak: | This is a frequently used term, however the "leak" term has multiple uses within security. In some cases it deals with exposure of information, but in other cases (such as "memory leak") this deals with improper tracking of resources which can lead to exhaustion. As a result, CWE is actively avoiding usage of the "leak" term. |
Compartmentalize your system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. |
Ordinality | Description |
---|---|
Resultant | (where the weakness is typically related to the presence of some other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 199 | Information Management Errors | Development Concepts (primary)699 |
ChildOf | Weakness Class | 668 | Exposure of Resource to Wrong Sphere | Research Concepts (primary)1000 |
ChildOf | Category | 717 | OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling | Weaknesses in OWASP Top Ten (2007) (primary)629 |
ParentOf | Weakness Variant | 201 | Information Leak Through Sent Data | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 202 | Privacy Leak through Data Queries | Development Concepts (primary)699 |
ParentOf | Weakness Class | 203 | Information Exposure Through Discrepancy | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Base | 209 | Information Exposure Through an Error Message | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Base | 212 | Improper Cross-boundary Removal of Sensitive Data | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Base | 213 | Intended Information Leak | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 214 | Process Environment Information Leak | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 215 | Information Leak Through Debug Information | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Base | 226 | Sensitive Information Uncleared Before Release | Development Concepts (primary)699 Research Concepts1000 |
ParentOf | Weakness Class | 359 | Privacy Violation | Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 497 | Exposure of System Data to an Unauthorized Control Sphere | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 524 | Information Leak Through Caching | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 526 | Information Leak Through Environmental Variables | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Base | 538 | File and Directory Information Exposure | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 598 | Information Leak Through Query Strings in GET Request | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 612 | Information Leak Through Indexing of Private Data | Development Concepts (primary)699 Research Concepts (primary)1000 |
MemberOf | View | 635 | Weaknesses Used by NVD | Weaknesses Used by NVD (primary)635 |
CanFollow | Weakness Variant | 498 | Information Leak through Class Cloning | Development Concepts699 Research Concepts1000 |
CanFollow | Weakness Variant | 499 | Serializable Class Containing Sensitive Data | Development Concepts699 Research Concepts1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Information Leak (information disclosure) | ||
OWASP Top Ten 2007 | A6 | CWE More Specific | Information Leakage and Improper Error Handling |
WASC | 13 | Information Leakage |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Likelihood of Exploit, Relationships, Taxonomy Mappings, Weakness Ordinalities | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Description | ||||
2009-12-28 | CWE Content Team | MITRE | Internal | |
updated Alternate Terms, Description, Name | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2009-12-28 | Information Leak (Information Disclosure) | |||