CWE-201: Insertion of Sensitive Information Into Sent Data

Description

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

Sensitive information could include data that is sensitive in and of itself (such as credentials or private messages), or otherwise useful in the further exploitation of the system (such as internal file system structure).

Example Vulnerable Codes

Example - 1

The following is an actual MySQL error statement:

Warning: mysql_pconnect(): Access denied for user: 'root@localhost' (Using password: N1nj4) in /usr/local/www/wi-data/includes/database.inc on line 4

The error clearly exposes the database credentials.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Go to
CWE-202: Exposure of Sensitive Information Through Data Queries
Go to
CWE-209: Generation of Error Message Containing Sensitive Information
Go to
CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer
Go to
CWE-226: Sensitive Information in Resource Not Removed Before Reuse
Go to
CWE-598: Use of GET Request Method With Sensitive Query Strings
Go to

Visit http://cwe.mitre.org/ for more details.