CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types
CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE-202: Exposure of Sensitive Data Through Data Queries

Weakness ID: 202
Abstraction: Variant
Status: Draft
Presentation Filter:
+ Description

Description Summary

When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

Extended Description

In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Confidentiality

Technical Impact: Read files or directories; Read application data

Sensitive information may possibly be leaked through data queries accidentally.

+ Likelihood of Exploit

Medium

+ Demonstrative Examples

Example 1

See the book Translucent Databases for examples.

+ Potential Mitigations

Phase: Architecture and Design

This is a complex topic. See the book Translucent Databases for a good discussion of best practices.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class200Information Exposure
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class359Exposure of Private Information ('Privacy Violation')
Research Concepts (primary)1000
ChildOfCategoryCategory967SFP Secondary Cluster: State Disclosure
Software Fault Pattern (SFP) Clusters (primary)888
CanAlsoBeWeakness VariantWeakness Variant201Information Exposure Through Sent Data
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPAccidental leaking of sensitive information through data queries
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Common_Consequences, Description, Relationships, Taxonomy_Mappings
2011-03-29CWE Content TeamMITREInternal
updated Name
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Related_Attack_Patterns, Relationships
2013-02-21CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-07-30CWE Content TeamMITREInternal
updated Relationships
2017-05-03CWE Content TeamMITREInternal
updated Related_Attack_Patterns
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Information Leak Through Data Queries
2011-03-29Privacy Leak through Data Queries

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017 
 

Use of the Common Weakness Enumeration and the associated references from this website are subject to the Terms of Use. For more information, please email cwe@mitre.org.

CWE is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2006-2017, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.
Privacy policy
Terms of use
Contact us