Category: SFP Secondary Cluster: State Disclosure
Incomplete
Summary
This category identifies Software Fault Patterns (SFPs) within the State Disclosure cluster.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-202 | Exposure of Sensitive Information Through Data Queries | This vulnerability occurs when an attacker uses statistical analysis on aggregated or anonymized data to uncover sensitive details about individuals, even when direct identifiers are removed. |
| CWE-203 | Observable Discrepancy | This vulnerability occurs when an application responds differently to unauthorized users based on internal conditions. Attackers can observe these variations—like changes in error messages, timing, or system behavior—to infer sensitive information, such as whether a username exists, a password is incorrect, or a specific operation succeeded. |
| CWE-204 | Observable Response Discrepancy | This vulnerability occurs when an application responds differently to similar requests, unintentionally leaking details about its internal state or logic to unauthorized users. |
| CWE-205 | Observable Behavioral Discrepancy | This vulnerability occurs when an application behaves differently in ways that unauthorized users can detect. These observable differences can reveal internal system logic, state information, or how the product varies from similar applications, providing attackers with valuable clues. |
| CWE-206 | Observable Internal Behavioral Discrepancy | This vulnerability occurs when a system's internal steps or decisions become visible to an attacker because the system behaves differently at each stage. Instead of presenting a single, unified result, the product leaks information about its internal checks, allowing an attacker to map its logic and pinpoint weaknesses. |
| CWE-207 | Observable Behavioral Discrepancy With Equivalent Products | This vulnerability occurs when a system that should remain anonymous behaves differently than other products with the same purpose, allowing attackers to detect and identify it. |
| CWE-208 | Observable Timing Discrepancy | This vulnerability occurs when an application takes measurably different amounts of time to perform different operations, such as checking a password or processing a request. An attacker can observe these timing differences to learn sensitive information, like whether a username is valid or a cryptographic key guess is correct. |
| CWE-888 | Software Fault Pattern (SFP) Clusters | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.