CWE-221: Information Loss or Omission

Description

The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-10-26 00:00:00+00:00

Organization :

MITRE
Extended Description

This can be resultant, e.g. a buffer overflow might trigger a crash before the product can log the event.

Example Vulnerable Codes

Example - 1

This code logs suspicious multiple login attempts.

return True;

writeLog("Failed login attempt by User: " . $userName . " at " + date('r') );incrementLoginAttempts($userName);if(recentLoginAttempts($userName) > 5){}if(authenticate($userName,$password)){}else{}function login($userName,$password){}

This code only logs failed login attempts when a certain limit is reached. If an attacker knows this limit, they can stop their attack from being discovered by avoiding the limit.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-222: Truncation of Security-relevant Information
Go to
CWE-223: Omission of Security-relevant Information
Go to
CWE-224: Obscured Security-relevant Information by Alternate Name
Go to
CWE-356: Product UI does not Warn User of Unsafe Actions
Go to
CWE-396: Declaration of Catch for Generic Exception
Go to
CWE-397: Declaration of Throws for Generic Exception
Go to
CWE-451: User Interface (UI) Misrepresentation of Critical Information
Go to
CWE-664: Improper Control of a Resource Through its Lifetime
Go to

Visit http://cwe.mitre.org/ for more details.