CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.6)  

Presentation Filter:

CWE-202: Exposure of Sensitive Data Through Data Queries

 
Exposure of Sensitive Data Through Data Queries
Weakness ID: 202 (Weakness Variant)Status: Draft
+ Description

Description Summary

When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

Extended Description

In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Confidentiality

Technical Impact: Read files or directories; Read application data

Sensitive information may possibly be leaked through data queries accidentally.

+ Likelihood of Exploit

Medium

+ Demonstrative Examples

Example 1

See the book Translucent Databases for examples.

+ Potential Mitigations

Phase: Architecture and Design

This is a complex topic. See the book Translucent Databases for a good discussion of best practices.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class200Information Exposure
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class359Exposure of Private Information ('Privacy Violation')
Research Concepts (primary)1000
ChildOfCategoryCategory895SFP Cluster: Information Leak
Software Fault Pattern (SFP) Clusters (primary)888
CanAlsoBeWeakness VariantWeakness Variant201Information Exposure Through Sent Data
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPAccidental leaking of sensitive information through data queries
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Common_Consequences, Description, Relationships, Taxonomy_Mappings
2011-03-29CWE Content TeamMITREInternal
updated Name
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Related_Attack_Patterns, Relationships
2013-02-21CWE Content TeamMITREInternal
updated Potential_Mitigations
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Information Leak Through Data Queries
2011-03-29Privacy Leak through Data Queries
Page Last Updated: February 18, 2014