An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.
The information either
is regarded as sensitive within the product's own functionality, such as a private message; or
provides information about the product or its environment that could be useful in an attack but is normally not available to the attacker, such as the installation path of a product that is remotely accessible.
Many information exposures are resultant (e.g. PHP script error revealing the full path of the program), but they can also be primary (e.g. timing discrepancies in cryptography). There are many different types of problems that involve information exposures. Their severity can range widely depending on the type of information that is revealed.
This is a frequently used term, however the "leak" term has multiple
uses within security. In some cases it deals with exposure of
information, but in other cases (such as "memory leak") this deals with
improper tracking of resources which can lead to exhaustion. As a
result, CWE is actively avoiding usage of the "leak" term.
This term is frequently used in vulnerability databases and other
sources, however "disclosure" does not always have security
implications. The phrase "information disclosure" is also used
frequently in policies and legal documents, but do not refer to
disclosure of security-relevant information.
Time of Introduction
Architecture and Design
Technical Impact: Read application data
Likelihood of Exploit
Automated Static Analysis - Binary / Bytecode
According to SOAR, the following detection techniques may be
Compartmentalize the system to have "safe" areas where trust
boundaries can be unambiguously drawn. Do not allow sensitive data to go
outside of the trust boundary and always be careful when interfacing
with a compartment outside of the safe area.
Ensure that appropriate compartmentalization is built into the system
design and that the compartmentalization serves to allow for and further
reinforce privilege separation functionality. Architects and designers
should rely on the principle of least privilege to decide when it is
appropriate to use and to drop system privileges.
the weakness is typically related to the presence of some other