Information Exposure
Weakness ID: 200 (Weakness Class)Status: Incomplete
+ Description

Description Summary

An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.

Extended Description

The information either

(1) is regarded as sensitive within the product's own functionality, such as a private message; or

(2) provides information about the product or its environment that could be useful in an attack but is normally not available to the attacker, such as the installation path of a product that is remotely accessible.

Many information exposures are resultant (e.g. path disclosure in PHP script error), but they can also be primary (e.g. timing discrepancies in crypto). There are many different types of problems that involve information exposures. Their severity can range widely depending on the type of information that is revealed.

+ Alternate Terms
Information Disclosure:

This term is frequently used in vulnerability databases and other sources, however "disclosure" does not always have security implications. The phrase "information disclosure" is also used frequently in policies and legal documents, but do not refer to disclosure of security-relevant information.

Information Leak:

This is a frequently used term, however the "leak" term has multiple uses within security. In some cases it deals with exposure of information, but in other cases (such as "memory leak") this deals with improper tracking of resources which can lead to exhaustion. As a result, CWE is actively avoiding usage of the "leak" term.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Likelihood of Exploit

High

+ Potential Mitigations

Compartmentalize your system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.

+ Weakness Ordinalities
OrdinalityDescription
Resultant
(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory199Information Management Errors
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class668Exposure of Resource to Wrong Sphere
Research Concepts (primary)1000
ChildOfCategoryCategory717OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling
Weaknesses in OWASP Top Ten (2007) (primary)629
ParentOfWeakness VariantWeakness Variant201Information Leak Through Sent Data
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant202Privacy Leak through Data Queries
Development Concepts (primary)699
ParentOfWeakness ClassWeakness Class203Information Exposure Through Discrepancy
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base209Information Exposure Through an Error Message
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base212Improper Cross-boundary Removal of Sensitive Data
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base213Intended Information Leak
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant214Process Environment Information Leak
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant215Information Leak Through Debug Information
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base226Sensitive Information Uncleared Before Release
Development Concepts (primary)699
Research Concepts1000
ParentOfWeakness ClassWeakness Class359Privacy Violation
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant497Exposure of System Data to an Unauthorized Control Sphere
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant524Information Leak Through Caching
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant526Information Leak Through Environmental Variables
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base538File and Directory Information Exposure
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant598Information Leak Through Query Strings in GET Request
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant612Information Leak Through Indexing of Private Data
Development Concepts (primary)699
Research Concepts (primary)1000
MemberOfViewView635Weaknesses Used by NVD
Weaknesses Used by NVD (primary)635
CanFollowWeakness VariantWeakness Variant498Information Leak through Class Cloning
Development Concepts699
Research Concepts1000
CanFollowWeakness VariantWeakness Variant499Serializable Class Containing Sensitive Data
Development Concepts699
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERInformation Leak (information disclosure)
OWASP Top Ten 2007A6CWE More SpecificInformation Leakage and Improper Error Handling
WASC13Information Leakage
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
13Subverting Environment Variable Values
22Exploiting Trust in Client (aka Make the Client Invisible)
59Session Credential Falsification through Prediction
60Reusing Session IDs (aka Session Replay)
79Using Slashes in Alternate Encoding
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Likelihood of Exploit, Relationships, Taxonomy Mappings, Weakness Ordinalities
2008-10-14CWE Content TeamMITREInternal
updated Description
2009-12-28CWE Content TeamMITREInternal
updated Alternate Terms, Description, Name
Previous Entry Names
Change DatePrevious Entry Name
2009-12-28Information Leak (Information Disclosure)