Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-202: Exposure of Sensitive Data Through Data Queries

Exposure of Sensitive Data Through Data Queries
Weakness ID: 202 (Weakness Variant)Status: Draft
+ Description

Description Summary

When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

Extended Description

In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms



+ Common Consequences

Technical Impact: Read files or directories; Read application data

Sensitive information may possibly be leaked through data queries accidentally.

+ Likelihood of Exploit


+ Demonstrative Examples

Example 1

See the book Translucent Databases for examples.

+ Potential Mitigations

Phase: Architecture and Design

This is a complex topic. See the book Translucent Databases for a good discussion of best practices.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class200Information Exposure
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class359Exposure of Private Information ('Privacy Violation')
Research Concepts (primary)1000
ChildOfCategoryCategory895SFP Cluster: Information Leak
Software Fault Pattern (SFP) Clusters (primary)888
CanAlsoBeWeakness VariantWeakness Variant201Information Exposure Through Sent Data
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPAccidental leaking of sensitive information through data queries
+ Content History
Submission DateSubmitterOrganizationSource
Externally Mined
Modification DateModifierOrganizationSource
updated Time_of_Introduction
updated Common_Consequences, Description, Relationships, Taxonomy_Mappings
updated Name
updated Common_Consequences
updated Related_Attack_Patterns, Relationships
updated Potential_Mitigations
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Information Leak Through Data Queries
2011-03-29Privacy Leak through Data Queries
Page Last Updated: June 23, 2014