CWE-209 - Information Exposure Through an Error Message

Description

The software generates an error message that includes sensitive information about its environment, users, or associated data. The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more deadly attacks. If an attack fails, an attacker may use error information provided by the server to launch another more focused attack. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In turn, this could be used to select the proper number of ".." sequences to navigate to the targeted file. An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query. The weakness is introduced during Architecture and Design, Implementation, System Configuration, Operation stages.

Latest vulnerabilities for CWE-209

Multiple vulnerabilities in Mozilla Thunderbird 2024-05-15
High Yes

Multiple vulnerabilities in Mozilla Firefox 2024-05-15
High Yes

Multiple vulnerabilities in IBM Security Verify Directory 2024-04-23
Low Yes

Multiple vulnerabilities in IBM Security Verify Governance 2024-04-18
High Yes

Information disclosure in Microsoft .NET Framework 2024-04-17
Medium Yes

Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management Security Services 2024-02-22
High Yes

Multiple vulnerabilities in NVIDIA DGX Station A100 and DGX Station A800 2024-02-09
High Yes

Multiple vulnerabilities in IBM Security Verify Privilege On-Premises 2024-02-06
High Yes

Multiple vulnerabilities in Rapid Software Rapid SCADA 2024-01-12
High No

Multiple vulnerabilities in IBM UrbanCode Deploy 2024-01-05
Medium Yes

References

Description of CWE-209 on Mitre website