[Forgot Password]
Login  Register Subscribe

23631

 
 

115083

 
 

97389

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Information Exposure

ID: 200Date: (C)2012-05-14   (M)2017-11-16
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Class





Description

An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.

Extended Description

The information either

is regarded as sensitive within the product's own functionality, such as a private message; or

provides information about the product or its environment that could be useful in an attack but is normally not available to the attacker, such as the installation path of a product that is remotely accessible.

Many information exposures are resultant (e.g. PHP script error revealing the full path of the program), but they can also be primary (e.g. timing discrepancies in cryptography). There are many different types of problems that involve information exposures. Their severity can range widely depending on the type of information that is revealed.

Likelihood of Exploit: High

Applicable Platforms
Language Class: All

Time Of Introduction

  • Architecture and Design
  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
 
Read application data
 
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
 
Separation of Privilege
 
Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.
 
  

Relationships

Related CWETypeViewChain
CWE-200 ChildOf CWE-895 Category CWE-888  

Demonstrative Examples
None

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  Information Leak (information disclosure)
 
 
OWASP Top Ten 2007 A6
 
Information Leakage and Improper Error Handling
 
CWE_More_Specific
 
WASC 13
 
Information Leakage
 
 

References:
None

CVE    2023
CVE-2015-4207
CVE-2015-4209
CVE-2014-1320
CVE-2014-1322
...

© 2013 SecPod Technologies