CWE-202

BaseDraft

View on MITRE

Exposure of Sensitive Information Through Data Queries

When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

24 linked vulnerabilities

1 related weaknesses

Extended Description

In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.

Architecture and Design

This is a complex topic. See the [REF-1492] for a good discussion of best practices.

Confidentiality

Read Files or Directories

Read Application Data

Sensitive information may possibly be leaked through data queries accidentally.

Modes of Introduction

Architecture and Design

Implementation

Related Weaknesses

CWE-1230ChildOf

Example CVEs (1)

CVE-2022-41935

Wiki product allows an adversary to discover filenames via a series of queries starting with one letter and then iteratively extending the match.

External Links

MITRE CWE Database

CWE-202: Exposure of Sensitive Information Through Data Queries | Mondoo Vulnerability Intelligence