CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
常见后果
影响范围: Confidentiality
技术影响: Read Application Data
潜在缓解措施
阶段: Architecture and Design
策略: Separation of Privilege
检测方法
方法: Automated Static Analysis - Binary or Bytecode
有效性: SOAR Partial
方法: Dynamic Analysis with Automated Results Interpretation
有效性: High
方法: Dynamic Analysis with Manual Results Interpretation
有效性: SOAR Partial
方法: Manual Static Analysis - Source Code
有效性: High
方法: Automated Static Analysis - Source Code
有效性: High
方法: Architecture or Design Review
有效性: High
观察示例
参考: CVE-2022-31162
Rust library leaks Oauth client details in application debug logs
参考: CVE-2021-25476
Digital Rights Management (DRM) capability for mobile platform leaks pointer information, simplifying ASLR bypass
参考: CVE-2001-1483
Enumeration of valid usernames based on inconsistent responses
参考: CVE-2001-1528
Account number enumeration via inconsistent responses.
参考: CVE-2004-2150
User enumeration via discrepancies in error messages.
参考: CVE-2005-1205
Telnet protocol allows servers to obtain sensitive environment information from clients.
参考: CVE-2002-1725
Script calls phpinfo(), revealing system configuration to web user
参考: CVE-2002-0515
Product sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs.
参考: CVE-2004-0778
Version control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned.
参考: CVE-2000-1117
Virtual machine allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method.
参考: CVE-2003-0190
Product immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
参考: CVE-2008-2049
POP3 server reveals a password in an error message after multiple APOP commands are sent. Might be resultant from another weakness.
参考: CVE-2007-5172
Program reveals password in error message if attacker can trigger certain database errors.
参考: CVE-2008-4638
Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209).
参考: CVE-2007-1409
Direct request to library file in web application triggers pathname leak in error message.
参考: CVE-2005-0603
Malformed regexp syntax leads to information exposure in error message.
参考: CVE-2004-2268
Password exposed in debug information.
参考: CVE-2003-1078
FTP client with debug option enabled shows password to the screen.
参考: CVE-2022-0708
Collaboration platform does not clear team emails in a response, allowing leak of email addresses
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | - |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Information Leak (information disclosure) | - |
| OWASP Top Ten 2007 | A6 | Information Leakage and Improper Error Handling | CWE More Specific |
| WASC | 13 | Information Leakage | - |
关键信息
CWE ID: CWE-200
抽象级别: Class
结构: Simple
状态: Draft
利用可能性: High