CWE - CWE-200: Information Exposure (3.3)

Weakness ID: 200

Abstraction: Class
Structure: Simple

Status: Incomplete

Presentation Filter:

Description

An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.

Extended Description

The information either:

is regarded as sensitive within the product's own functionality, such as a private message; or
provides information about the product or its environment that could be useful in an attack but is normally not available to the attacker, such as the installation path of a product that is remotely accessible.

Many information exposures are resultant (e.g. PHP script error revealing the full path of the program), but they can also be primary (e.g. timing discrepancies in cryptography). There are many different types of problems that involve information exposures. Their severity can range widely depending on the type of information that is revealed.

Alternate Terms

Information Leak:	This is a frequently used term, however the "leak" term has multiple uses within security. In some cases it deals with exposure of information, but in other cases (such as "memory leak") this deals with improper tracking of resources which can lead to exhaustion. As a result, CWE is actively avoiding usage of the "leak" term.
Information Disclosure:	This term is frequently used in vulnerability databases and other sources, however "disclosure" does not always have security implications. The phrase "information disclosure" is also used frequently in policies and legal documents, but do not refer to disclosure of security-relevant information.

Relationships

The table(s) below shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

Relevant to the view "Research Concepts" (CWE-1000)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	668	Exposure of Resource to Wrong Sphere
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	201	Information Exposure Through Sent Data
ParentOf	Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.	203	Information Exposure Through Discrepancy
ParentOf	Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.	209	Information Exposure Through an Error Message
ParentOf	Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.	212	Improper Cross-boundary Removal of Sensitive Data
ParentOf	Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.	213	Intentional Information Exposure
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	214	Information Exposure Through Process Environment
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	215	Information Exposure Through Debug Information
ParentOf	Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.	226	Sensitive Information Uncleared Before Release
ParentOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	359	Exposure of Private Information ('Privacy Violation')
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	497	Exposure of System Data to an Unauthorized Control Sphere
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	524	Information Exposure Through Caching
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	526	Information Exposure Through Environmental Variables
ParentOf	Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.	538	File and Directory Information Exposure
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	598	Information Exposure Through Query Strings in GET Request
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	612	Information Exposure Through Indexing of Private Data
CanFollow	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	498	Cloneable Class Containing Sensitive Information
CanFollow	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	499	Serializable Class Containing Sensitive Data

Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (CWE-1003)

Nature	Type	ID	Name
ParentOf	Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.	203	Information Exposure Through Discrepancy
ParentOf	Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.	209	Information Exposure Through an Error Message
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	532	Inclusion of Sensitive Information in Log Files

Relevant to the view "Development Concepts" (CWE-699)

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	199	Information Management Errors
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	840	Business Logic Errors
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	201	Information Exposure Through Sent Data
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	202	Exposure of Sensitive Data Through Data Queries
ParentOf	Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.	203	Information Exposure Through Discrepancy
ParentOf	Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.	209	Information Exposure Through an Error Message
ParentOf	Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.	212	Improper Cross-boundary Removal of Sensitive Data
ParentOf	Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.	213	Intentional Information Exposure
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	214	Information Exposure Through Process Environment
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	215	Information Exposure Through Debug Information
ParentOf	Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.	226	Sensitive Information Uncleared Before Release
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	497	Exposure of System Data to an Unauthorized Control Sphere
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	524	Information Exposure Through Caching
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	526	Information Exposure Through Environmental Variables
ParentOf	Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.	538	File and Directory Information Exposure
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	598	Information Exposure Through Query Strings in GET Request
ParentOf	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	612	Information Exposure Through Indexing of Private Data
CanFollow	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	498	Cloneable Class Containing Sensitive Information
CanFollow	Variant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.	499	Serializable Class Containing Sensitive Data

Modes Of Introduction

The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the software life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.

Phase	Note
Architecture and Design
Implementation

Applicable Platforms

The listings below show possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.

Languages

Class: Language-Independent (Undetermined Prevalence)

Paradigms

Mobile (Undetermined Prevalence)

Common Consequences

The table below specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Scope	Impact	Likelihood
Confidentiality	Technical Impact: Read Application Data

Likelihood Of Exploit

High

Potential Mitigations

Phase: Architecture and Design

Strategy: Separation of Privilege

Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.

Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.

Weakness Ordinalities

Ordinality	Description
Resultant	(where the weakness is typically related to the presence of some other weaknesses)

Detection Methods

Automated Static Analysis - Binary or Bytecode

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

Bytecode Weakness Analysis - including disassembler + source code weakness analysis

Inter-application Flow Analysis

Effectiveness: SOAR Partial

Dynamic Analysis with Automated Results Interpretation

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

Web Application Scanner

Web Services Scanner

Database Scanners

Effectiveness: High

Dynamic Analysis with Manual Results Interpretation

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

Fuzz Tester

Framework-based Fuzzer

Automated Monitored Execution

Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious

Effectiveness: SOAR Partial

Manual Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

Manual Source Code Review (not inspections)

Effectiveness: High

Automated Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

Context-configured Source Code Weakness Analyzer

Cost effective for partial coverage:

Source code Weakness Analyzer

Effectiveness: High

Architecture or Design Review

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

Formal Methods / Correct-By-Construction

Cost effective for partial coverage:

Attack Modeling

Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)

Effectiveness: High

Memberships

This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.

Nature	Type	ID	Name
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	635	Weaknesses Originally Used by NVD from 2008 to 2016
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	717	OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	963	SFP Secondary Cluster: Exposed Data
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	1003	Weaknesses for Simplified Mapping of Published Vulnerabilities

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			Information Leak (information disclosure)
OWASP Top Ten 2007	A6	CWE More Specific	Information Leakage and Improper Error Handling
WASC	13		Information Leakage

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
CAPEC-116	Excavation
CAPEC-13	Subverting Environment Variable Values
CAPEC-169	Footprinting
CAPEC-22	Exploiting Trust in Client
CAPEC-224	Fingerprinting
CAPEC-285	ICMP Echo Request Ping
CAPEC-287	TCP SYN Scan
CAPEC-290	Enumerate Mail Exchange (MX) Records
CAPEC-291	DNS Zone Transfers
CAPEC-292	Host Discovery
CAPEC-293	Traceroute Route Enumeration
CAPEC-294	ICMP Address Mask Request
CAPEC-295	Timestamp Request
CAPEC-296	ICMP Information Request
CAPEC-297	TCP ACK Ping
CAPEC-298	UDP Ping
CAPEC-299	TCP SYN Ping
CAPEC-300	Port Scanning
CAPEC-301	TCP Connect Scan
CAPEC-302	TCP FIN Scan
CAPEC-303	TCP Xmas Scan
CAPEC-304	TCP Null Scan
CAPEC-305	TCP ACK Scan
CAPEC-306	TCP Window Scan
CAPEC-307	TCP RPC Scan
CAPEC-308	UDP Scan
CAPEC-309	Network Topology Mapping
CAPEC-310	Scanning for Vulnerable Software
CAPEC-312	Active OS Fingerprinting
CAPEC-313	Passive OS Fingerprinting
CAPEC-317	IP ID Sequencing Probe
CAPEC-318	IP 'ID' Echoed Byte-Order Probe
CAPEC-319	IP (DF) 'Don't Fragment Bit' Echoing Probe
CAPEC-320	TCP Timestamp Probe
CAPEC-321	TCP Sequence Number Probe
CAPEC-322	TCP (ISN) Greatest Common Divisor Probe
CAPEC-323	TCP (ISN) Counter Rate Probe
CAPEC-324	TCP (ISN) Sequence Predictability Probe
CAPEC-325	TCP Congestion Control Flag (ECN) Probe
CAPEC-326	TCP Initial Window Size Probe
CAPEC-327	TCP Options Probe
CAPEC-328	TCP 'RST' Flag Checksum Probe
CAPEC-329	ICMP Error Message Quoting Probe
CAPEC-330	ICMP Error Message Echoing Integrity Probe
CAPEC-472	Browser Fingerprinting
CAPEC-573	Process Footprinting
CAPEC-574	Services Footprinting
CAPEC-575	Account Footprinting
CAPEC-576	Group Permission Footprinting
CAPEC-577	Owner Footprinting
CAPEC-59	Session Credential Falsification through Prediction
CAPEC-60	Reusing Session IDs (aka Session Replay)
CAPEC-616	Establish Rogue Location
CAPEC-643	Identify Shared Files/Directories on System
CAPEC-646	Peripheral Footprinting
CAPEC-651	Eavesdropping
CAPEC-79	Using Slashes in Alternate Encoding

References

[REF-172] Chris Wysopal. "Mobile App Top 10 List". 2010-12-13. <http://www.veracode.com/blog/2010/12/mobile-app-top-10-list/>.

Content History

Submissions
Submission Date	Submitter	Organization
	PLOVER

Modifications
Modification Date	Modifier	Organization
2008-07-01	Eric Dalci	Cigital
2008-07-01	updated Time_of_Introduction
2008-09-08	CWE Content Team	MITRE
2008-09-08	updated Likelihood_of_Exploit, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
2008-10-14	CWE Content Team	MITRE
2008-10-14	updated Description
2009-12-28	CWE Content Team	MITRE
2009-12-28	updated Alternate_Terms, Description, Name
2010-02-16	CWE Content Team	MITRE
2010-02-16	updated Taxonomy_Mappings
2010-04-05	CWE Content Team	MITRE
2010-04-05	updated Related_Attack_Patterns
2011-03-29	CWE Content Team	MITRE
2011-03-29	updated Description, Relationships
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated Related_Attack_Patterns, Relationships
2012-10-30	CWE Content Team	MITRE
2012-10-30	updated Potential_Mitigations
2013-02-21	CWE Content Team	MITRE
2013-02-21	updated Alternate_Terms, Applicable_Platforms, References
2014-06-23	CWE Content Team	MITRE
2014-06-23	updated Related_Attack_Patterns
2014-07-30	CWE Content Team	MITRE
2014-07-30	updated Detection_Factors, Relationships
2015-12-07	CWE Content Team	MITRE
2015-12-07	updated Relationships
2017-05-03	CWE Content Team	MITRE
2017-05-03	updated Related_Attack_Patterns
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated References
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated Related_Attack_Patterns
2019-06-20	CWE Content Team	MITRE
2019-06-20	updated Related_Attack_Patterns, Relationships
Previous Entry Names
Change Date	Previous Entry Name
2009-12-28	Information Leak (Information Disclosure)


	Use of the Common Weakness Enumeration and the associated references from this website are subject to the Terms of Use. For more information, please email cwe@mitre.org. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2006-2019, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.	Privacy Policy Terms of Use Site Map Contact Us

Common Weakness Enumeration

CWE-200: Information Exposure