CWE-200: Information Leak (Information Disclosure)
Information Leak (Information Disclosure)
Weakness ID: 200 (Weakness Class)
Status: Incomplete
Description
Description Summary
An information leak is the intentional or unintentional
disclosure of information to an actor that is not explicitly authorized to have
access to that information.
Extended Description
The information either
(1) is regarded as sensitive within the product's own functionality,
such as a private message; or
(2) provides information about the product or its environment that
could be useful in an attack but is normally not available to the
attacker, such as the installation path of a product that is remotely
accessible.
Many information leaks are resultant (e.g. path disclosure in PHP script
error), but they can also be primary (e.g. timing discrepancies in crypto).
There are many different types of problems that involve information leaks.
Their severity can range widely depending on the type of information that is
leaked.
Time of Introduction
Architecture and Design
Implementation
Applicable Platforms
Languages
All
Likelihood of Exploit
High
Potential Mitigations
Phase
Description
Compartmentalize your system to have "safe" areas where trust
boundaries can be unambiguously drawn. Do not allow sensitive data to go
outside of the trust boundary and always be careful when interfacing
with a compartment outside of the safe area.
Weakness Ordinalities
Ordinality
Description
Resultant
(where the
weakness is typically related to the presence of some other
weaknesses)
Description
