Category: Comprehensive Categorization: Sensitive Information Exposure
Incomplete
Summary
Weaknesses in this category are related to sensitive information exposure.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1254 | Incorrect Comparison Logic Granularity | This vulnerability occurs when a system compares sensitive data, like passwords or authentication tokens, piece-by-piece instead of as a complete unit. If the comparison stops at the first mismatch, attackers can measure tiny timing differences to gradually guess the correct value. |
| CWE-1255 | Comparison Logic is Vulnerable to Power Side-Channel Attacks | This vulnerability occurs when a device's power consumption is monitored during security checks, allowing attackers to deduce secret reference values by analyzing subtle differences in energy usage during comparison operations. |
| CWE-1273 | Device Unlock Credential Sharing | This vulnerability occurs when the secret keys or passwords required to unlock a device's hidden features are shared between multiple organizations, creating a chain of trust where sensitive access can be leaked. |
| CWE-1295 | Debug Messages Revealing Unnecessary Information | The product's debug messages or logs expose excessive internal system details, potentially revealing sensitive information that could aid an attacker. |
| CWE-1300 | Improper Protection of Physical Side Channels | This vulnerability occurs when a hardware device lacks adequate safeguards against physical side-channel attacks. Attackers can exploit measurable patterns in power usage, electromagnetic radiation, or even sound emissions to uncover sensitive information like encryption keys. |
| CWE-1431 | Driving Intermediate Cryptographic State/Results to Hardware Module Outputs | This vulnerability occurs when a hardware cryptographic module leaks sensitive internal data through its output channels. Instead of only providing the final encrypted or decrypted result, the module inadvertently exposes intermediate calculation states or partial results via its output wires or ports. |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | This weakness occurs when an application unintentionally reveals sensitive data to someone who shouldn't have access to it. |
| CWE-201 | Insertion of Sensitive Information Into Sent Data | This vulnerability occurs when an application sends data to an external party, but accidentally includes sensitive information—like passwords, keys, or personal data—that the recipient should not be able to access. |
| CWE-203 | Observable Discrepancy | This vulnerability occurs when an application responds differently to unauthorized users based on internal conditions. Attackers can observe these variations—like changes in error messages, timing, or system behavior—to infer sensitive information, such as whether a username exists, a password is incorrect, or a specific operation succeeded. |
| CWE-204 | Observable Response Discrepancy | This vulnerability occurs when an application responds differently to similar requests, unintentionally leaking details about its internal state or logic to unauthorized users. |
| CWE-205 | Observable Behavioral Discrepancy | This vulnerability occurs when an application behaves differently in ways that unauthorized users can detect. These observable differences can reveal internal system logic, state information, or how the product varies from similar applications, providing attackers with valuable clues. |
| CWE-206 | Observable Internal Behavioral Discrepancy | This vulnerability occurs when a system's internal steps or decisions become visible to an attacker because the system behaves differently at each stage. Instead of presenting a single, unified result, the product leaks information about its internal checks, allowing an attacker to map its logic and pinpoint weaknesses. |
| CWE-207 | Observable Behavioral Discrepancy With Equivalent Products | This vulnerability occurs when a system that should remain anonymous behaves differently than other products with the same purpose, allowing attackers to detect and identify it. |
| CWE-208 | Observable Timing Discrepancy | This vulnerability occurs when an application takes measurably different amounts of time to perform different operations, such as checking a password or processing a request. An attacker can observe these timing differences to learn sensitive information, like whether a username is valid or a cryptographic key guess is correct. |
| CWE-209 | Generation of Error Message Containing Sensitive Information | This vulnerability occurs when an application reveals sensitive details about its internal systems, user data, or environment within error messages shown to users. |
| CWE-210 | Self-generated Error Message Containing Sensitive Information | This vulnerability occurs when an application detects a problem and generates its own error messages that accidentally expose sensitive system or user data. |
| CWE-211 | Externally-Generated Error Message Containing Sensitive Information | This vulnerability occurs when an application triggers an error message from an external component—like a database, interpreter, or operating system—and that error reveals sensitive details about the system's internal workings, configuration, or data. |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | This vulnerability occurs when a system's data handling aligns with the developer's security rules but accidentally reveals information that other stakeholders—like users or administrators—consider confidential. Essentially, the developer's policy conflicts with the security expectations of the people who use or manage the product. |
| CWE-214 | Invocation of Process Using Visible Sensitive Information | This vulnerability occurs when a process is started with sensitive data, such as passwords or API keys, passed directly in its command-line arguments or environment variables. Because this information is often visible to other processes on the system, it can be easily exposed. |
| CWE-215 | Insertion of Sensitive Information Into Debugging Code | This vulnerability occurs when developers embed sensitive data, such as passwords or API keys, within debugging statements like logs or console outputs, and fail to remove or disable this code before deploying to a live environment. |
| CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | This vulnerability occurs when an application fails to adequately protect sensitive personal data, allowing access to individuals who either lack proper authorization or haven't provided necessary consent for its use. |
| CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | This vulnerability occurs when an application unintentionally reveals sensitive details about its underlying system, such as file paths, software versions, or environment data, to users who should not have access to that information. |
| CWE-526 | Cleartext Storage of Sensitive Information in an Environment Variable | This vulnerability occurs when an application stores sensitive data, such as passwords or API keys, as plain text in an environment variable. |
| CWE-531 | Inclusion of Sensitive Information in Test Code | This vulnerability occurs when sensitive data, such as credentials, API keys, or internal logic, is embedded within test code or debugging applications that remain accessible in production environments. Attackers can discover and exploit these forgotten endpoints to gain unauthorized access or gather critical intelligence about the system. |
| CWE-532 | Insertion of Sensitive Information into Log File | This vulnerability occurs when an application unintentionally writes confidential data, such as passwords or API keys, into its log files. |
| CWE-535 | Exposure of Information Through Shell Error Message | This vulnerability occurs when a web application's command shell returns detailed error messages to users. Attackers can analyze these messages to understand the underlying system, identify weaknesses, and potentially gain unauthorized access. |
| CWE-536 | Servlet Runtime Error Message Containing Sensitive Information | This vulnerability occurs when a Java servlet application displays detailed runtime error messages that reveal sensitive information about the application's internal structure, such as stack traces, file paths, or database queries. These unhandled exception details can give attackers critical insights to craft further exploits. |
| CWE-537 | Java Runtime Error Message Containing Sensitive Information | This vulnerability occurs when a Java application's runtime error messages reveal sensitive details about the system, such as file paths, internal IP addresses, or stack traces. Attackers can exploit these overly informative error messages to map the application's structure and gather intelligence for further attacks. |
| CWE-538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | This vulnerability occurs when an application unintentionally stores confidential data—like passwords, API keys, or personal user details—in a location that is publicly accessible or readable by unauthorized users. Even if the file itself is intended to be available, the sensitive information within it should not be. |
| CWE-540 | Inclusion of Sensitive Information in Source Code | This vulnerability occurs when sensitive information like passwords, API keys, or internal logic is exposed within source code that remains accessible on a web server or in a public repository. |
| CWE-541 | Inclusion of Sensitive Information in an Include File | This vulnerability occurs when sensitive data like passwords or system details is placed inside a publicly accessible include file. Attackers can directly request these files to steal credentials and compromise the application. |
| CWE-548 | Exposure of Information Through Directory Listing | This vulnerability occurs when a web server is misconfigured to display a full list of files within a directory instead of serving a default web page, unintentionally exposing sensitive resources to anyone who visits the URL. |
| CWE-550 | Server-generated Error Message Containing Sensitive Information | This vulnerability occurs when a web application or server returns detailed error messages that reveal sensitive internal information about the system. |
| CWE-598 | Use of GET Request Method With Sensitive Query Strings | This vulnerability occurs when a web application handles sensitive data, like passwords or session tokens, by passing them within the URL's query string using an HTTP GET request. |
| CWE-615 | Inclusion of Sensitive Information in Source Code Comments | This vulnerability occurs when developers leave sensitive details within source code comments. These can include internal file paths, hidden URLs, inactive code snippets, credentials, or other information meant for internal use only. |
| CWE-651 | Exposure of WSDL File Containing Sensitive Information | This vulnerability occurs when a Web Service Definition Language (WSDL) file, which acts as a public blueprint for a web service, is exposed in a way that reveals sensitive information about the application's internal structure or functionality. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.