CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE-922: Insecure Storage of Sensitive Information

Weakness ID: 922
Abstraction: Class
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

The software stores sensitive information without properly limiting read or write access by unauthorized actors.

Extended Description

If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service.

+ Time of Introduction
  • Architecture and Design
  • Implementation
  • System Configuration
+ Applicable Platforms

Languages

Language-independent

+ Common Consequences
ScopeEffect
Confidentiality

Technical Impact: Read application data; Read files or directories

Attackers can read sensitive information by accessing the unrestricted storage mechanism.

Integrity

Technical Impact: Modify application data; Modify files or directories

Attackers can read sensitive information by accessing the unrestricted storage mechanism.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class664Improper Control of a Resource Through its Lifetime
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base312Cleartext Storage of Sensitive Information
Development Concepts699
Research Concepts1000
ParentOfWeakness BaseWeakness Base921Storage of Sensitive Data in a Mechanism without Access Control
Development Concepts (primary)699
Research Concepts (primary)1000
+ Relationship Notes

There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data.

+ Maintenance Notes

This is a high-level node that includes children from various parts of the CWE research view (CWE-1000). Currently, most of the information is in these child entries. This entry will be made more comprehensive in later CWE versions.

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2013-06-23MITREInternal CWE Team

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017