Category: SFP Secondary Cluster: Exposed Data
Incomplete
Summary
This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).
Membership
| ID | Name | Description |
|---|---|---|
| CWE-11 | ASP.NET Misconfiguration: Creating Debug Binary | Deploying an ASP.NET application with debug binaries enabled exposes detailed system information, which attackers can use to map your infrastructure and plan targeted exploits. |
| CWE-117 | Improper Output Neutralization for Logs | This vulnerability occurs when an application creates log entries using unvalidated external data, allowing attackers to inject malicious characters or commands that can corrupt log files, trigger parsing errors, or enable log injection attacks. |
| CWE-12 | ASP.NET Misconfiguration: Missing Custom Error Page | This vulnerability occurs when an ASP.NET application fails to configure custom error pages, allowing attackers to extract sensitive information from the framework's default error messages. |
| CWE-13 | ASP.NET Misconfiguration: Password in Configuration File | This vulnerability occurs when an ASP.NET application stores passwords or other sensitive credentials in plaintext within configuration files like web.config. This exposes those credentials to anyone with file system access, effectively bypassing security controls and granting unauthorized access to protected resources. |
| CWE-14 | Compiler Removal of Code to Clear Buffers | A compiler optimization can remove security-critical code intended to wipe sensitive data from memory, leaving secrets exposed. This happens when the compiler identifies buffer-clearing operations as unnecessary 'dead stores' and eliminates them. |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | This weakness occurs when an application unintentionally reveals sensitive data to someone who shouldn't have access to it. |
| CWE-201 | Insertion of Sensitive Information Into Sent Data | This vulnerability occurs when an application sends data to an external party, but accidentally includes sensitive information—like passwords, keys, or personal data—that the recipient should not be able to access. |
| CWE-209 | Generation of Error Message Containing Sensitive Information | This vulnerability occurs when an application reveals sensitive details about its internal systems, user data, or environment within error messages shown to users. |
| CWE-210 | Self-generated Error Message Containing Sensitive Information | This vulnerability occurs when an application detects a problem and generates its own error messages that accidentally expose sensitive system or user data. |
| CWE-211 | Externally-Generated Error Message Containing Sensitive Information | This vulnerability occurs when an application triggers an error message from an external component—like a database, interpreter, or operating system—and that error reveals sensitive details about the system's internal workings, configuration, or data. |
| CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer | This vulnerability occurs when an application stores or transmits a resource containing sensitive data without properly cleaning it first, potentially exposing that information to unauthorized parties. |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | This vulnerability occurs when a system's data handling aligns with the developer's security rules but accidentally reveals information that other stakeholders—like users or administrators—consider confidential. Essentially, the developer's policy conflicts with the security expectations of the people who use or manage the product. |
| CWE-214 | Invocation of Process Using Visible Sensitive Information | This vulnerability occurs when a process is started with sensitive data, such as passwords or API keys, passed directly in its command-line arguments or environment variables. Because this information is often visible to other processes on the system, it can be easily exposed. |
| CWE-215 | Insertion of Sensitive Information Into Debugging Code | This vulnerability occurs when developers embed sensitive data, such as passwords or API keys, within debugging statements like logs or console outputs, and fail to remove or disable this code before deploying to a live environment. |
| CWE-219 | Storage of File with Sensitive Data Under Web Root | This vulnerability occurs when an application saves sensitive files, such as configuration data or private keys, inside the web server's publicly accessible directory. Without proper access restrictions, attackers can directly request and download these files. |
| CWE-220 | Storage of File With Sensitive Data Under FTP Root | This vulnerability occurs when an application saves sensitive files, such as configuration or user data, within the directory served by an FTP server without proper access restrictions. This misconfiguration can allow unauthorized users to download these files directly. |
| CWE-226 | Sensitive Information in Resource Not Removed Before Reuse | This vulnerability occurs when a system releases a resource like memory or a file for reuse but fails to erase the sensitive data it previously contained. The old information remains accessible when the resource is allocated to a new process or used in a different context. |
| CWE-244 | Improper Clearing of Heap Memory Before Release ('Heap Inspection') | Using realloc() to resize buffers containing secrets like passwords or keys can leave that sensitive data exposed in memory, as the original data is not securely erased. |
| CWE-256 | Plaintext Storage of a Password | This vulnerability occurs when an application stores user passwords as readable text instead of using secure, one-way hashing. This insecure practice exposes credentials in memory, files, or databases where attackers can easily retrieve them. |
| CWE-257 | Storing Passwords in a Recoverable Format | This vulnerability occurs when an application stores user passwords in a format that can be easily reversed or decrypted back to their original plaintext form. This practice, often called storing 'recoverable' passwords, defeats the core purpose of password protection. It allows anyone with access to the stored data—including attackers who breach the system or even malicious insiders—to obtain and reuse the actual passwords on other accounts, offering no real security advantage over storing them in plain text. |
| CWE-260 | Password in Configuration File | This vulnerability occurs when an application stores sensitive passwords directly within a configuration file, making them easily readable to anyone with access to that file. |
| CWE-311 | Missing Encryption of Sensitive Data | This vulnerability occurs when an application stores or sends sensitive information without first encrypting it, leaving the data exposed. |
| CWE-312 | Cleartext Storage of Sensitive Information | This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in files, databases, caches, or logs that could be accessed by unauthorized users or systems. |
| CWE-313 | Cleartext Storage in a File or on Disk | This vulnerability occurs when an application writes sensitive data, such as passwords or personal information, directly to a file or disk without using encryption. |
| CWE-314 | Cleartext Storage in the Registry | This vulnerability occurs when an application saves sensitive data, like passwords or keys, as plain text in the Windows Registry. |
| CWE-315 | Cleartext Storage of Sensitive Information in a Cookie | This vulnerability occurs when an application directly stores sensitive data, like session tokens or personal details, in a browser cookie without encryption. |
| CWE-316 | Cleartext Storage of Sensitive Information in Memory | This vulnerability occurs when an application stores sensitive data, such as passwords or encryption keys, in memory without any form of encryption or protection. |
| CWE-317 | Cleartext Storage of Sensitive Information in GUI | This vulnerability occurs when an application stores sensitive data, such as passwords or personal information, in plain text within its graphical user interface (GUI) elements. |
| CWE-318 | Cleartext Storage of Sensitive Information in Executable | This vulnerability occurs when an application embeds sensitive information, like passwords or keys, directly within its executable code without encryption. |
| CWE-319 | Cleartext Transmission of Sensitive Information | This vulnerability occurs when an application sends sensitive data, such as passwords or personal information, over a network connection without using encryption. Attackers can easily intercept and read this unprotected data as it travels. |
| CWE-374 | Passing Mutable Objects to an Untrusted Method | This vulnerability occurs when a function receives a direct reference to mutable data, such as an object or array, instead of a safe copy of that data. |
| CWE-375 | Returning a Mutable Object to an Untrusted Caller | This vulnerability occurs when a method directly returns a reference to its internal mutable data, allowing untrusted calling code to modify that data unexpectedly. |
| CWE-402 | Transmission of Private Resources into a New Sphere ('Resource Leak') | This vulnerability occurs when an application unintentionally exposes internal resources, like files, memory, or database connections, to unauthorized users or systems. Essentially, it's a type of resource leak where sensitive assets cross a security boundary. |
| CWE-403 | Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') | This vulnerability occurs when a parent process launches a child process without first closing sensitive file descriptors. The child process inherits these open handles, potentially gaining unauthorized access to files, sockets, or other resources it shouldn't be able to interact with. |
| CWE-433 | Unparsed Raw Web Content Delivery | This vulnerability occurs when a web application stores unprocessed files—like configuration scripts or raw source code—in publicly accessible directories using file extensions the server doesn't recognize. |
| CWE-495 | Private Data Structure Returned From A Public Method | This vulnerability occurs when a public method directly returns a reference to a private, internal data structure. Because the reference is live, external callers can bypass intended controls and modify the data unexpectedly, corrupting the application's state. |
| CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | This vulnerability occurs when an application unintentionally reveals sensitive details about its underlying system, such as file paths, software versions, or environment data, to users who should not have access to that information. |
| CWE-498 | Cloneable Class Containing Sensitive Information | This vulnerability occurs when a class containing sensitive information, such as credentials or personal data, is made cloneable. Attackers can bypass normal initialization and access the sensitive data by creating a copy of the object. |
| CWE-499 | Serializable Class Containing Sensitive Data | This vulnerability occurs when a class containing sensitive information, such as credentials or personal data, is left serializable by default. Because the class does not explicitly prevent serialization, its internal data can be accessed and extracted by other parts of the application or external processes. |
| CWE-5 | J2EE Misconfiguration: Data Transmission Without Encryption | This vulnerability occurs when a J2EE application transmits sensitive data, like login credentials or session tokens, across a network without using strong encryption. Attackers monitoring the network can easily intercept, read, or even alter this information if it's sent in plain text or protected by weak cryptographic methods. |
| CWE-501 | Trust Boundary Violation | This vulnerability occurs when an application incorrectly stores or processes trusted and untrusted data together within the same structure, such as an object, array, or message. |
| CWE-522 | Insufficiently Protected Credentials | This vulnerability occurs when an application handles sensitive credentials like passwords or API keys in an insecure way, making them easy for attackers to steal during transmission or while stored. |
| CWE-523 | Unprotected Transport of Credentials | This vulnerability occurs when a login page or authentication system transmits user credentials (like usernames and passwords) over a network without proper encryption, exposing them to interception. |
| CWE-526 | Cleartext Storage of Sensitive Information in an Environment Variable | This vulnerability occurs when an application stores sensitive data, such as passwords or API keys, as plain text in an environment variable. |
| CWE-527 | Exposure of Version-Control Repository to an Unauthorized Control Sphere | This vulnerability occurs when a version control repository, like Git or SVN, is accidentally placed in a location accessible to unauthorized users, such as a web server directory or a public archive. |
| CWE-528 | Exposure of Core Dump File to an Unauthorized Control Sphere | This vulnerability occurs when an application creates a core dump file (a snapshot of memory at the time of a crash) and places it in a location accessible to unauthorized users or systems. |
| CWE-529 | Exposure of Access Control List Files to an Unauthorized Control Sphere | This vulnerability occurs when an application stores sensitive access control list (ACL) files in a location that is accessible to unauthorized users or systems. |
| CWE-530 | Exposure of Backup File to an Unauthorized Control Sphere | This vulnerability occurs when backup or temporary files are stored in locations that unauthorized users can access, such as web directories. |
| CWE-532 | Insertion of Sensitive Information into Log File | This vulnerability occurs when an application unintentionally writes confidential data, such as passwords or API keys, into its log files. |
| CWE-535 | Exposure of Information Through Shell Error Message | This vulnerability occurs when a web application's command shell returns detailed error messages to users. Attackers can analyze these messages to understand the underlying system, identify weaknesses, and potentially gain unauthorized access. |
| CWE-536 | Servlet Runtime Error Message Containing Sensitive Information | This vulnerability occurs when a Java servlet application displays detailed runtime error messages that reveal sensitive information about the application's internal structure, such as stack traces, file paths, or database queries. These unhandled exception details can give attackers critical insights to craft further exploits. |
| CWE-537 | Java Runtime Error Message Containing Sensitive Information | This vulnerability occurs when a Java application's runtime error messages reveal sensitive details about the system, such as file paths, internal IP addresses, or stack traces. Attackers can exploit these overly informative error messages to map the application's structure and gather intelligence for further attacks. |
| CWE-538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | This vulnerability occurs when an application unintentionally stores confidential data—like passwords, API keys, or personal user details—in a location that is publicly accessible or readable by unauthorized users. Even if the file itself is intended to be available, the sensitive information within it should not be. |
| CWE-539 | Use of Persistent Cookies Containing Sensitive Information | This vulnerability occurs when a web application stores sensitive data, like authentication details or personal information, within persistent cookies that remain on a user's device. |
| CWE-540 | Inclusion of Sensitive Information in Source Code | This vulnerability occurs when sensitive information like passwords, API keys, or internal logic is exposed within source code that remains accessible on a web server or in a public repository. |
| CWE-541 | Inclusion of Sensitive Information in an Include File | This vulnerability occurs when sensitive data like passwords or system details is placed inside a publicly accessible include file. Attackers can directly request these files to steal credentials and compromise the application. |
| CWE-546 | Suspicious Comment | This weakness occurs when code contains comments that flag potential issues, such as bugs, security gaps, or unfinished work, which can expose underlying problems or oversights. |
| CWE-548 | Exposure of Information Through Directory Listing | This vulnerability occurs when a web server is misconfigured to display a full list of files within a directory instead of serving a default web page, unintentionally exposing sensitive resources to anyone who visits the URL. |
| CWE-550 | Server-generated Error Message Containing Sensitive Information | This vulnerability occurs when a web application or server returns detailed error messages that reveal sensitive internal information about the system. |
| CWE-552 | Files or Directories Accessible to External Parties | This vulnerability occurs when an application exposes files or directories to users who shouldn't have access to them. |
| CWE-555 | J2EE Misconfiguration: Plaintext Password in Configuration File | A J2EE application insecurely stores an unprotected password within a configuration file. |
| CWE-591 | Sensitive Data Storage in Improperly Locked Memory | This vulnerability occurs when an application stores sensitive information, like passwords or encryption keys, in system memory that isn't properly secured from being written to disk. If the memory isn't locked, the operating system's virtual memory manager can swap it to a page or swap file, leaving the data exposed on the storage drive where attackers could potentially recover it. |
| CWE-598 | Use of GET Request Method With Sensitive Query Strings | This vulnerability occurs when a web application handles sensitive data, like passwords or session tokens, by passing them within the URL's query string using an HTTP GET request. |
| CWE-607 | Public Static Final Field References Mutable Object | This vulnerability occurs when a class exposes a public or protected static final field that points to a changeable object. Because the field's reference is constant but the object itself is not, malicious code or even accidental code in other packages can modify the object's contents, violating the intended immutability. |
| CWE-612 | Improper Authorization of Index Containing Sensitive Information | This vulnerability occurs when a system indexes sensitive documents for search but fails to properly restrict who can query that index. Attackers can then discover and extract confidential information from the indexed content without having direct access to the original files. |
| CWE-615 | Inclusion of Sensitive Information in Source Code Comments | This vulnerability occurs when developers leave sensitive details within source code comments. These can include internal file paths, hidden URLs, inactive code snippets, credentials, or other information meant for internal use only. |
| CWE-642 | External Control of Critical State Data | This vulnerability occurs when an application stores security-sensitive state data in locations that unauthorized users can access and modify. |
| CWE-668 | Exposure of Resource to Wrong Sphere | This vulnerability occurs when an application unintentionally makes a resource accessible to users or systems that should not have permission to use it. |
| CWE-669 | Incorrect Resource Transfer Between Spheres | This vulnerability occurs when an application incorrectly moves or shares a resource (like data, permissions, or functionality) between different trust boundaries or security contexts. This improper transfer can give unintended actors control over that resource, leading to security breaches. |
| CWE-7 | J2EE Misconfiguration: Missing Custom Error Page | This vulnerability occurs when a J2EE application uses the server's default error pages instead of custom ones, potentially leaking sensitive system details. |
| CWE-756 | Missing Custom Error Page | This vulnerability occurs when an application fails to display its own user-friendly error pages, instead falling back to default system messages that can leak sensitive technical details. |
| CWE-767 | Access to Critical Private Variable via Public Method | This vulnerability occurs when a class exposes a public method that directly accesses or alters a private variable. |
| CWE-8 | J2EE Misconfiguration: Entity Bean Declared Remote | This vulnerability occurs when an Entity Bean in a J2EE application is incorrectly configured with a remote interface. This exposes data access methods to remote clients, allowing unauthorized users to potentially read sensitive information or manipulate data outside the application's intended security boundaries. |
| CWE-888 | Software Fault Pattern (SFP) Clusters | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.