Exposure of Sensitive Information Through Data Queries

Draft Base

Structure: Simple

Description

This vulnerability occurs when an attacker uses statistical analysis on aggregated or anonymized data to uncover sensitive details about individuals, even when direct identifiers are removed.

Extended Description

This flaw often appears in systems designed for privacy, such as databases that allow users to query large datasets without revealing personal information. Attackers can craft specific queries or combine multiple query results to perform a statistical inference attack, effectively 're-identifying' individuals from data that was supposed to be anonymous. To prevent this, developers must implement robust privacy controls beyond simple anonymization. Techniques like query thresholding, differential privacy, or carefully auditing the potential information leakage from any query pattern are essential to ensure that aggregated data cannot be reverse-engineered to expose private user details.

Common Consequences 1

Scope: Confidentiality

Impact: Read Files or DirectoriesRead Application Data

Sensitive information may possibly be leaked through data queries accidentally.

Potential Mitigations 1

Phase: Architecture and Design

This is a complex topic. See the book Translucent Databases for a good discussion of best practices.

Demonstrative Examples 1

See the book Translucent Databases for examples.

Observed Examples 1

CVE-2022-41935Wiki product allows an adversary to discover filenames via a series of queries starting with one letter and then iteratively extending the match.

References 1

The CLASP Application Security Process

Secure Software, Inc.

2005

https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)

ID: REF-18

Likelihood of Exploit

Medium

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Architecture and Design

Implementation

Related Weaknesses

ChildOf:

Exposure of Sensitive Information Through Metadata (CWE-1230)

Taxonomy Mapping

CLASP

Notes

Maintenance The relationship between Exposure of Sensitive Information Through Data Queries and Improper Authorization of Index Containing Sensitive Information needs to be investigated more closely, as they may be different descriptions of the same kind of problem. Exposure of Sensitive Information Through Data Queries is also being considered for deprecation, as it is not clearly described and may have been misunderstood by CWE users. It could be argued that this issue is better covered by CAPEC; an attacker can utilize their data-query privileges to perform this kind of operation, and if the attacker should not be allowed to perform the operation - or if the sensitive data should not have been made accessible at all - then that is more appropriately classified as a separate CWE related to authorization (see the parent, Exposure of Sensitive Information Through Metadata).