Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-200: Information Exposure

Information Exposure
Weakness ID: 200 (Weakness Class)Status: Incomplete
+ Description

Description Summary

An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.

Extended Description

The information either

  1. is regarded as sensitive within the product's own functionality, such as a private message; or

  2. provides information about the product or its environment that could be useful in an attack but is normally not available to the attacker, such as the installation path of a product that is remotely accessible.

Many information exposures are resultant (e.g. PHP script error revealing the full path of the program), but they can also be primary (e.g. timing discrepancies in cryptography). There are many different types of problems that involve information exposures. Their severity can range widely depending on the type of information that is revealed.

+ Alternate Terms
Information Leak:

This is a frequently used term, however the "leak" term has multiple uses within security. In some cases it deals with exposure of information, but in other cases (such as "memory leak") this deals with improper tracking of resources which can lead to exhaustion. As a result, CWE is actively avoiding usage of the "leak" term.

Information Disclosure:

This term is frequently used in vulnerability databases and other sources, however "disclosure" does not always have security implications. The phrase "information disclosure" is also used frequently in policies and legal documents, but do not refer to disclosure of security-relevant information.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms



Architectural Paradigms

Mobile Application

+ Common Consequences

Technical Impact: Read application data

+ Likelihood of Exploit


+ Potential Mitigations

Phase: Architecture and Design

Strategy: Separation of Privilege

Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.

Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.

+ Weakness Ordinalities
(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory199Information Management Errors
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class668Exposure of Resource to Wrong Sphere
Research Concepts (primary)1000
ChildOfCategoryCategory717OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling
Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOfCategoryCategory840Business Logic Errors
Development Concepts699
ChildOfCategoryCategory895SFP Cluster: Information Leak
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant201Information Exposure Through Sent Data
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant202Exposure of Sensitive Data Through Data Queries
Development Concepts (primary)699
ParentOfWeakness ClassWeakness Class203Information Exposure Through Discrepancy
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base209Information Exposure Through an Error Message
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base212Improper Cross-boundary Removal of Sensitive Data
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base213Intentional Information Exposure
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant214Information Exposure Through Process Environment
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant215Information Exposure Through Debug Information
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base226Sensitive Information Uncleared Before Release
Development Concepts (primary)699
Research Concepts1000
ParentOfWeakness ClassWeakness Class359Exposure of Private Information ('Privacy Violation')
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant497Exposure of System Data to an Unauthorized Control Sphere
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant524Information Exposure Through Caching
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant526Information Exposure Through Environmental Variables
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base538File and Directory Information Exposure
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant598Information Exposure Through Query Strings in GET Request
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant612Information Exposure Through Indexing of Private Data
Development Concepts (primary)699
Research Concepts (primary)1000
MemberOfViewView635Weaknesses Used by NVD
Weaknesses Used by NVD (primary)635
CanFollowWeakness VariantWeakness Variant498Cloneable Class Containing Sensitive Information
Development Concepts699
Research Concepts1000
CanFollowWeakness VariantWeakness Variant499Serializable Class Containing Sensitive Data
Development Concepts699
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERInformation Leak (information disclosure)
OWASP Top Ten 2007A6Information Leakage and Improper Error Handling
WASC13Information Leakage
+ References
[REF-33] Chris Wysopal. "Mobile App Top 10 List". 2010-12-13. <>.
+ Content History
Submission DateSubmitterOrganizationSource
Externally Mined
Modification DateModifierOrganizationSource
updated Time_of_Introduction
updated Likelihood_of_Exploit, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
updated Description
updated Alternate_Terms, Description, Name
updated Taxonomy_Mappings
updated Related_Attack_Patterns
updated Description, Relationships
updated Common_Consequences
updated Related_Attack_Patterns, Relationships
updated Potential_Mitigations
updated Alternate_Terms, Applicable_Platforms, References
updated Related_Attack_Patterns
Previous Entry Names
Change DatePrevious Entry Name
2009-12-28Information Leak (Information Disclosure)
Page Last Updated: June 23, 2014