CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-200: Information Exposure

 
Information Exposure
Weakness ID: 200 (Weakness Class)Status: Incomplete
+ Description

Description Summary

An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.

Extended Description

The information either

  1. is regarded as sensitive within the product's own functionality, such as a private message; or

  2. provides information about the product or its environment that could be useful in an attack but is normally not available to the attacker, such as the installation path of a product that is remotely accessible.

Many information exposures are resultant (e.g. PHP script error revealing the full path of the program), but they can also be primary (e.g. timing discrepancies in cryptography). There are many different types of problems that involve information exposures. Their severity can range widely depending on the type of information that is revealed.

+ Alternate Terms
Information Leak:

This is a frequently used term, however the "leak" term has multiple uses within security. In some cases it deals with exposure of information, but in other cases (such as "memory leak") this deals with improper tracking of resources which can lead to exhaustion. As a result, CWE is actively avoiding usage of the "leak" term.

Information Disclosure:

This term is frequently used in vulnerability databases and other sources, however "disclosure" does not always have security implications. The phrase "information disclosure" is also used frequently in policies and legal documents, but do not refer to disclosure of security-relevant information.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

Language-independent

Architectural Paradigms

Mobile Application

+ Common Consequences
ScopeEffect

Technical Impact: Read application data

+ Likelihood of Exploit

High

+ Potential Mitigations

Phase: Architecture and Design

Strategy: Separation of Privilege

Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.

Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.

+ Weakness Ordinalities
OrdinalityDescription
(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory199Information Management Errors
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class668Exposure of Resource to Wrong Sphere
Research Concepts (primary)1000
ChildOfCategoryCategory717OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling
Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOfCategoryCategory840Business Logic Errors
Development Concepts699
ChildOfCategoryCategory895SFP Cluster: Information Leak
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant201Information Exposure Through Sent Data
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant202Exposure of Sensitive Data Through Data Queries
Development Concepts (primary)699
ParentOfWeakness ClassWeakness Class203Information Exposure Through Discrepancy
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base209Information Exposure Through an Error Message
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base212Improper Cross-boundary Removal of Sensitive Data
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base213Intentional Information Exposure
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant214Information Exposure Through Process Environment
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant215Information Exposure Through Debug Information
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base226Sensitive Information Uncleared Before Release
Development Concepts (primary)699
Research Concepts1000
ParentOfWeakness ClassWeakness Class359Exposure of Private Information ('Privacy Violation')
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant497Exposure of System Data to an Unauthorized Control Sphere
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant524Information Exposure Through Caching
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant526Information Exposure Through Environmental Variables
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base538File and Directory Information Exposure
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant598Information Exposure Through Query Strings in GET Request
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant612Information Exposure Through Indexing of Private Data
Development Concepts (primary)699
Research Concepts (primary)1000
MemberOfViewView635Weaknesses Used by NVD
Weaknesses Used by NVD (primary)635
CanFollowWeakness VariantWeakness Variant498Cloneable Class Containing Sensitive Information
Development Concepts699
Research Concepts1000
CanFollowWeakness VariantWeakness Variant499Serializable Class Containing Sensitive Data
Development Concepts699
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERInformation Leak (information disclosure)
OWASP Top Ten 2007A6Information Leakage and Improper Error Handling
WASC13Information Leakage
+ References
[REF-33] Chris Wysopal. "Mobile App Top 10 List". 2010-12-13. <http://www.veracode.com/blog/2010/12/mobile-app-top-10-list/>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
updated Time_of_Introduction
2008-09-08MITREInternal
updated Likelihood_of_Exploit, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
2008-10-14MITREInternal
updated Description
2009-12-28MITREInternal
updated Alternate_Terms, Description, Name
2010-02-16MITREInternal
updated Taxonomy_Mappings
2010-04-05MITREInternal
updated Related_Attack_Patterns
2011-03-29MITREInternal
updated Description, Relationships
2011-06-01MITREInternal
updated Common_Consequences
2012-05-11MITREInternal
updated Related_Attack_Patterns, Relationships
2012-10-30MITREInternal
updated Potential_Mitigations
2013-02-21MITREInternal
updated Alternate_Terms, Applicable_Platforms, References
2014-06-23MITREInternal
updated Related_Attack_Patterns
Previous Entry Names
Change DatePrevious Entry Name
2009-12-28Information Leak (Information Disclosure)
Page Last Updated: June 23, 2014