Category: Information Management Errors
Draft
Summary
Weaknesses in this category are related to improper handling of sensitive information.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1230 | Exposure of Sensitive Information Through Metadata | This vulnerability occurs when an application protects the primary source of sensitive data but fails to secure the metadata derived from it. Attackers can then access this secondary information, which may leak critical details about the original content. |
| CWE-201 | Insertion of Sensitive Information Into Sent Data | This vulnerability occurs when an application sends data to an external party, but accidentally includes sensitive information—like passwords, keys, or personal data—that the recipient should not be able to access. |
| CWE-204 | Observable Response Discrepancy | This vulnerability occurs when an application responds differently to similar requests, unintentionally leaking details about its internal state or logic to unauthorized users. |
| CWE-205 | Observable Behavioral Discrepancy | This vulnerability occurs when an application behaves differently in ways that unauthorized users can detect. These observable differences can reveal internal system logic, state information, or how the product varies from similar applications, providing attackers with valuable clues. |
| CWE-208 | Observable Timing Discrepancy | This vulnerability occurs when an application takes measurably different amounts of time to perform different operations, such as checking a password or processing a request. An attacker can observe these timing differences to learn sensitive information, like whether a username is valid or a cryptographic key guess is correct. |
| CWE-209 | Generation of Error Message Containing Sensitive Information | This vulnerability occurs when an application reveals sensitive details about its internal systems, user data, or environment within error messages shown to users. |
| CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer | This vulnerability occurs when an application stores or transmits a resource containing sensitive data without properly cleaning it first, potentially exposing that information to unauthorized parties. |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | This vulnerability occurs when a system's data handling aligns with the developer's security rules but accidentally reveals information that other stakeholders—like users or administrators—consider confidential. Essentially, the developer's policy conflicts with the security expectations of the people who use or manage the product. |
| CWE-214 | Invocation of Process Using Visible Sensitive Information | This vulnerability occurs when a process is started with sensitive data, such as passwords or API keys, passed directly in its command-line arguments or environment variables. Because this information is often visible to other processes on the system, it can be easily exposed. |
| CWE-215 | Insertion of Sensitive Information Into Debugging Code | This vulnerability occurs when developers embed sensitive data, such as passwords or API keys, within debugging statements like logs or console outputs, and fail to remove or disable this code before deploying to a live environment. |
| CWE-312 | Cleartext Storage of Sensitive Information | This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in files, databases, caches, or logs that could be accessed by unauthorized users or systems. |
| CWE-319 | Cleartext Transmission of Sensitive Information | This vulnerability occurs when an application sends sensitive data, such as passwords or personal information, over a network connection without using encryption. Attackers can easily intercept and read this unprotected data as it travels. |
| CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | This vulnerability occurs when an application fails to adequately protect sensitive personal data, allowing access to individuals who either lack proper authorization or haven't provided necessary consent for its use. |
| CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | This vulnerability occurs when an application unintentionally reveals sensitive details about its underlying system, such as file paths, software versions, or environment data, to users who should not have access to that information. |
| CWE-524 | Use of Cache Containing Sensitive Information | This vulnerability occurs when an application stores sensitive data in a cache that is accessible to unauthorized users or external systems. |
| CWE-538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | This vulnerability occurs when an application unintentionally stores confidential data—like passwords, API keys, or personal user details—in a location that is publicly accessible or readable by unauthorized users. Even if the file itself is intended to be available, the sensitive information within it should not be. |
| CWE-921 | Storage of Sensitive Data in a Mechanism without Access Control | This vulnerability occurs when an application saves sensitive information to a storage location that lacks proper access restrictions, allowing unauthorized users or applications to view or modify the data. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.