|
|
|
|
CWE-200 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Incomplete 200 (Weakness Class) | | Description | Summary An information leak is the intentional or unintentional disclosure of
information that either (1) is regarded as sensitive within the product's own
functionality, such as a private message, or (2) provides information about the product
or its environment that could be useful in an attack but is normally not available to
the attacker, such as the installation path of a product that is remotely accessible.
Many information leaks are resultant (e.g. path disclosure in PHP script error), but
they can also be primary (e.g. timing discrepancies in crypto). There are many different
types of problems that involve information leaks. Their severity can range widely
depending on the type of information that is leaked. | | Potential Mitigations | Compartmentalize your system to have "safe" areas where trust boundaries can
be unambiguously drawn. Do not allow sensitive data to go outside of the trust
boundary and always be careful when interfacing with a compartment outside of the
safe area. | | Relationships | | | Source Taxonomies | PLOVER - Information Leak (information disclosure) | | Applicable Platforms | All | | Related Attack Patterns | | CAPEC-ID | Attack Pattern Name |
|---|
| 79 | Using Slashes in Alternate Encoding | | 22 | Exploiting Trust in Client (aka Make the Client Invisible) | | 13 | Subverting Environment Variable Values | | 60 | Reusing Session IDs (aka Session Replay) | | 59 | Session Credential Falsification through Prediction |
|
|