CWE-223: Omission of Security-relevant Information

CVE-2022-22563

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

This code logs suspicious multiple login attempts.

Vulnerable example

php

function login($userName,$password){

This code only logs failed login attempts when a certain limit is reached. If an attacker knows this limit, they can stop their attack from being discovered by avoiding the limit.

This code prints the contents of a file if a user has permission.

Vulnerable example

php

function readFile($filename){

While the code logs a bad access attempt, it logs the user supplied name for the file, not the canonicalized file name. An attacker can obscure their target by giving the script the name of a link to the file they are attempting to access. Also note this code contains a race condition between the is_link() and readlink() functions (CWE-363).

CWE-223: Omission of Security-relevant Information

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-223?

What CVEs are caused by CWE-223?

What are the consequences of CWE-223?

Is CWE-223 actively exploited?

References

Stay ahead of CWE-223

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-223?

What CVEs are caused by CWE-223?

What are the consequences of CWE-223?

Is CWE-223 actively exploited?

References

Stay ahead of CWE-223