CWE-202: Exposure of Sensitive Information Through Data Queries

When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Medium

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.

CWE-202: Exposure of Sensitive Information Through Data Queries

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-202?

What CVEs are caused by CWE-202?

How do you prevent CWE-202?

What are the consequences of CWE-202?

Is CWE-202 actively exploited?

References

Stay ahead of CWE-202

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Illustrative examples

Related weaknesses

Parent

Related

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-202?

What CVEs are caused by CWE-202?

How do you prevent CWE-202?

What are the consequences of CWE-202?

Is CWE-202 actively exploited?

References

Stay ahead of CWE-202