Early Access — Mondoo Vulnerability Intelligence is currently in preview.

Mondoo Vulnerability Intelligence

Curated by Mondoo Research, enhanced with AI

Resources

Search Vulnerabilities
Trending CVEs
Browse Ecosystems
Terminology
Blog

Open Source

cnquery
cnspec

Star us on GitHub!

Company

Mondoo Platform
About
Contact

Vulnerability Intelligence

CWE-202: Exposure of Sensitive Information Through Data Queries | Mondoo Vulnerability Intelligence

CWE-202

BaseDraft

View on MITRE

Exposure of Sensitive Information Through Data Queries

When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

23 linked vulnerabilities

1 related weaknesses

Extended Description

In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.

Architecture and Design

This is a complex topic. See the [REF-1492] for a good discussion of best practices.

ConfidentialityRead Files or DirectoriesRead Application Data

Sensitive information may possibly be leaked through data queries accidentally.

Modes of Introduction

Architecture and DesignImplementation

Related Weaknesses

CWE-1230ChildOf

Example CVEs (1)

CVE-2022-41935

Wiki product allows an adversary to discover filenames via a series of queries starting with one letter and then iteratively extending the match.

External Links

MITRE CWE Database