CWE
Home > CWE List > CWE-210 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-210 Individual Dictionary Definition (Draft 9)

Product-Generated Error Message Information Leak
Weakness ID
Status: Draft

210 (Weakness Base)

Description

Summary

The software identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.

Functional Area

Non-specific

Potential Mitigations

Implementation: Any error should be parsed for dangerous revelations.

Build: Debugging information should not make its way into a production release.

Handle exceptions internally and do not display errors containing potentially sensitive information to a user. Create default error pages if necessary.

Observed Examples
ReferenceDescription
CVE-2005-1745Infoleak of sensitive information in error message (physical access required).
Context Notes

Attack: trigger error, monitor responses.

Relationships
NatureTypeIDName
ChildOfWeakness BaseWeakness BaseWeakness Base209Error Message Information Leaks
ParentOfWeakness VariantWeakness VariantWeakness Variant535Information Leak Through Shell Error Message
ParentOfWeakness VariantWeakness VariantWeakness Variant536Information Leak Through Servlet Runtime Error Message
ParentOfWeakness VariantWeakness VariantWeakness Variant537Information Leak Through Java Runtime Error Message
ParentOfWeakness VariantWeakness VariantWeakness Variant550Information Leak Through Server Error Message
Source Taxonomies

PLOVER - Product-Generated Error Message Infoleak

Applicable Platforms

All

Back to top
Page Last Updated: April 22, 2008
 

CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us