{"@ID": "209", "@Name": "Generation of Error Message Containing Sensitive Information", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "@Diagram": "/data/images/CWE-209-Diagram.png", "Description": "The product generates an error message that includes sensitive information about its environment, users, or associated data.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "200", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "200", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "755", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": [{"Ordinality": "Primary"}, {"Ordinality": "Resultant"}]}, "Applicable_Platforms": {"Language": [{"@Name": "PHP", "@Prevalence": "Often"}, {"@Name": "Java", "@Prevalence": "Often"}, {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}], "Technology": {"@Class": "Not Technology-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Implementation", "Note": "REALIZATION: This weakness is caused during implementation of an architectural security tactic."}, {"Phase": "System Configuration"}, {"Phase": "Operation"}]}, "Likelihood_Of_Exploit": "High", "Common_Consequences": {"Consequence": {"Scope": "Confidentiality", "Impact": "Read Application Data", "Note": "Often this will either reveal sensitive information which may be used to launch another, more focused attack  or disclose private information stored in the server. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In turn, this could be used to select the proper number of \"..\" sequences to navigate to the targeted file. An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query."}}, "Detection_Methods": {"Detection_Method": [{"Method": "Manual Analysis", "Description": "This weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints.", "Effectiveness": "High"}, {"Method": "Automated Analysis", "Description": "Automated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of business rules or privacy requirements is not typically feasible.", "Effectiveness": "Moderate"}, {"@Detection_Method_ID": "DM-2", "Method": "Automated Dynamic Analysis", "Description": {"xhtml:p": ["This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.", "Error conditions may be triggered with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior."]}, "Effectiveness": "Moderate"}, {"@Detection_Method_ID": "DM-12", "Method": "Manual Dynamic Analysis", "Description": "Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself."}, {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-39", "Phase": "Implementation", "Description": {"xhtml:p": ["Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.", "If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.", "Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not."]}}, {"Phase": "Implementation", "Description": "Handle exceptions internally and do not display errors containing potentially sensitive information to a user."}, {"@Mitigation_ID": "MIT-33", "Phase": "Implementation", "Strategy": "Attack Surface Reduction", "Description": "Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.", "Effectiveness": "Defense in Depth", "Effectiveness_Notes": "This makes it easier to spot places in the code where data is being used that is unencrypted."}, {"@Mitigation_ID": "MIT-40", "Phase": ["Implementation", "Build and Compilation"], "Strategy": "Compilation or Build Hardening", "Description": "Debugging information should not make its way into a production release."}, {"@Mitigation_ID": "MIT-40", "Phase": ["Implementation", "Build and Compilation"], "Strategy": "Environment Hardening", "Description": "Debugging information should not make its way into a production release."}, {"Phase": "System Configuration", "Description": "Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function."}, {"Phase": "System Configuration", "Description": "Create default error pages or messages that do not leak any information."}]}, "Demonstrative_Examples": {"Demonstrative_Example": [{"Intro_Text": "In the following example, sensitive information might be printed depending on the exception that occurs.", "Example_Code": {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:div": [{"@style": "margin-left:1em;", "#text": "/.../"}, {"@style": "margin-left:1em;", "#text": "System.out.println(e);"}], "xhtml:br": null, "#text": "try {}catch (Exception e) {}"}}, "Body_Text": "If an exception related to SQL is handled by the catch, then the output might contain sensitive information such as SQL query structure or private information. If this output is redirected to a web user, this may represent a security problem."}, {"@Demonstrative_Example_ID": "DX-118", "Intro_Text": "This code tries to open a database connection, and prints any exceptions that occur.", "Example_Code": {"@Nature": "Bad", "@Language": "PHP", "xhtml:div": {"xhtml:div": [{"@style": "margin-left:1em;", "#text": "openDbConnection();"}, {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "echo 'Caught exception: ', $e->getMessage(), '\\n';echo 'Check credentials in config file at: ', $Mysql_config_location, '\\n';"}], "xhtml:br": [null, null], "xhtml:i": "//print exception message that includes exception message and configuration file location", "#text": "try {}\n                     \n                     catch (Exception $e) {}"}}, "Body_Text": "If an exception occurs, the printed message exposes the location of the configuration file the script is using. An attacker can use this information to target the configuration file (perhaps exploiting a Path Traversal weakness). If the file can be read, the attacker could gain credentials for accessing the database. The attacker may also be able to replace the file with a malicious one, causing the application to use an arbitrary database."}, {"Intro_Text": "The following code generates an error message that leaks the full pathname of the configuration file.", "Example_Code": {"@Nature": "Bad", "@Language": "Perl", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null], "xhtml:i": "# avoid CWE-22, CWE-78, others.", "xhtml:div": {"@style": "margin-left:1em;", "#text": "ExitError(\"Error: $file does not exist\");"}, "#text": "$ConfigDir = \"/home/myprog/config\";$uname = GetUserInput(\"username\");\n                     \n                     \n                     ExitError(\"Bad hacker!\") if ($uname !~ /^\\w+$/);$file = \"$ConfigDir/$uname.txt\";if (! (-e $file)) {}..."}}, "Body_Text": "If this code is running on a server, such as a web application, then the person making the request should not know what the full pathname of the configuration directory is. By submitting a username that does not produce a $file that exists, an attacker could get this pathname. It could then be used to exploit path traversal or symbolic link following problems that may exist elsewhere in the application."}, {"@Demonstrative_Example_ID": "DX-119", "Intro_Text": "In the example below, the method getUserBankAccount retrieves a bank account object from a database using the supplied username and account number to query the database. If an SQLException is raised when querying the database, an error message is created and output to a log file.", "Example_Code": {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null, null, null], "#text": "query = \"SELECT * FROM accounts WHERE owner = \"+ username + \" AND accountID = \" + accountNumber;DatabaseManager dbManager = new DatabaseManager();Connection conn = dbManager.getConnection();Statement stmt = conn.createStatement();ResultSet queryResult = stmt.executeQuery(query);userAccount = (BankAccount)queryResult.getObject(accountNumber);"}, "#text": "if (isAuthorizedUser(username)) {}"}, {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "String logMessage = \"Unable to retrieve account information from database,\\nquery: \" + query;Logger.getLogger(BankManager.class.getName()).log(Level.SEVERE, logMessage, ex);"}], "#text": "BankAccount userAccount = null;String query = null;try {} catch (SQLException ex) {}return userAccount;"}}, "#text": "public BankAccount getUserBankAccount(String username, String accountNumber) {}"}}, "Body_Text": "The error message that is created includes information about the database query that may contain sensitive information about the database or query logic. In this case, the error message will expose the table name and column names used in the database. This data could be used to simplify other attacks, such as SQL injection (CWE-89) to directly access the database."}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2008-2049", "Description": "POP3 server reveals a password in an error message after multiple APOP commands are sent. Might be resultant from another weakness.", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-2049"}, {"Reference": "CVE-2007-5172", "Description": "Program reveals password in error message if attacker can trigger certain database errors.", "Link": "https://www.cve.org/CVERecord?id=CVE-2007-5172"}, {"Reference": "CVE-2008-4638", "Description": "Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209).", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-4638"}, {"Reference": "CVE-2008-1579", "Description": "Existence of user names can be determined by requesting a nonexistent blog and reading the error message.", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-1579"}, {"Reference": "CVE-2007-1409", "Description": "Direct request to library file in web application triggers pathname leak in error message.", "Link": "https://www.cve.org/CVERecord?id=CVE-2007-1409"}, {"Reference": "CVE-2008-3060", "Description": "Malformed input to login page causes leak of full path when IMAP call fails.", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-3060"}, {"Reference": "CVE-2005-0603", "Description": "Malformed regexp syntax leads to information exposure in error message.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-0603"}, {"Reference": "CVE-2017-9615", "Description": "verbose logging stores admin credentials in a world-readablelog file", "Link": "https://www.cve.org/CVERecord?id=CVE-2017-9615"}, {"Reference": "CVE-2018-1999036", "Description": "SSH password for private key stored in build log", "Link": "https://www.cve.org/CVERecord?id=CVE-2018-1999036"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "CLASP", "Entry_Name": "Accidental leaking of sensitive information through error messages"}, {"@Taxonomy_Name": "OWASP Top Ten 2007", "Entry_ID": "A6", "Entry_Name": "Information Leakage and Improper Error Handling", "Mapping_Fit": "CWE More Specific"}, {"@Taxonomy_Name": "OWASP Top Ten 2004", "Entry_ID": "A7", "Entry_Name": "Improper Error Handling", "Mapping_Fit": "CWE More Specific"}, {"@Taxonomy_Name": "OWASP Top Ten 2004", "Entry_ID": "A10", "Entry_Name": "Insecure Configuration Management", "Mapping_Fit": "CWE More Specific"}, {"@Taxonomy_Name": "The CERT Oracle Secure Coding Standard for Java (2011)", "Entry_ID": "ERR01-J", "Entry_Name": "Do not allow exceptions to expose sensitive information"}, {"@Taxonomy_Name": "Software Fault Patterns", "Entry_ID": "SFP23", "Entry_Name": "Exposed Data"}]}, "Related_Attack_Patterns": {"Related_Attack_Pattern": [{"@CAPEC_ID": "215"}, {"@CAPEC_ID": "463"}, {"@CAPEC_ID": "54"}, {"@CAPEC_ID": "7"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-174"}, {"@External_Reference_ID": "REF-175", "@Section": "Section 9.2, Page 326"}, {"@External_Reference_ID": "REF-176", "@Section": "Chapter 16, \"General Good Practices.\" Page 415"}, {"@External_Reference_ID": "REF-44", "@Section": "\"Sin 11: Failure to Handle Errors Correctly.\" Page 183"}, {"@External_Reference_ID": "REF-44", "@Section": "\"Sin 12: Information Leakage.\" Page 191"}, {"@External_Reference_ID": "REF-179"}, {"@External_Reference_ID": "REF-62", "@Section": "Chapter 3, \"Overly Verbose Error Messages\", Page 75"}, {"@External_Reference_ID": "REF-18"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": {"@Type": "Other", "xhtml:p": ["The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more serious attacks.", "The error message may be created in different ways:"], "xhtml:ul": {"xhtml:li": ["self-generated: the source code explicitly constructs the error message and delivers it", "externally-generated: the external environment, such as a language interpreter, handles the error and constructs its own message, whose contents are not under direct control by the programmer"]}}}, "Content_History": {"Submission": {"Submission_Name": "CLASP", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Organization": "Veracode", "Modification_Date": "2008-08-15", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "Suggested OWASP Top Ten 2004 mapping"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-10-14", "Modification_Version": "1.0.1", "Modification_ReleaseDate": "2008-10-14", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-01-12", "Modification_Version": "1.2", "Modification_ReleaseDate": "2009-01-12", "Modification_Comment": "updated Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-03-10", "Modification_Version": "1.3", "Modification_ReleaseDate": "2009-03-10", "Modification_Comment": "updated Demonstrative_Examples, Potential_Mitigations, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-12-28", "Modification_Version": "1.7", "Modification_ReleaseDate": "2009-12-28", "Modification_Comment": "updated Demonstrative_Examples, Name, Potential_Mitigations, References, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-02-16", "Modification_Version": "1.8", "Modification_ReleaseDate": "2010-02-16", "Modification_Comment": "updated Detection_Factors, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-04-05", "Modification_Version": "1.8.1", "Modification_ReleaseDate": "2010-04-05", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-06-21", "Modification_Version": "1.9", "Modification_ReleaseDate": "2010-06-21", "Modification_Comment": "updated Common_Consequences, Detection_Factors, Potential_Mitigations, References"}, {"Modification_Organization": "Veracode", "Modification_Date": "2010-09-09", "Modification_Version": "1.10", "Modification_ReleaseDate": "2010-09-27", "Modification_Comment": "Suggested OWASP Top Ten mapping"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-09-27", "Modification_Version": "1.10", "Modification_ReleaseDate": "2010-09-27", "Modification_Comment": "updated Potential_Mitigations, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-03-29", "Modification_Version": "1.12", "Modification_ReleaseDate": "2011-03-30", "Modification_Comment": "updated Demonstrative_Examples, Observed_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-27", "Modification_Version": "2.0", "Modification_ReleaseDate": "2011-06-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-09-13", "Modification_Version": "2.1", "Modification_ReleaseDate": "2011-09-13", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated References, Related_Attack_Patterns, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2013-07-17", "Modification_Version": "2.5", "Modification_ReleaseDate": "2013-07-17", "Modification_Comment": "updated References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-06-23", "Modification_Version": "2.7", "Modification_ReleaseDate": "2014-06-23", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2018-03-27", "Modification_Version": "3.1", "Modification_ReleaseDate": "2018-03-27", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-01-03", "Modification_Version": "3.2", "Modification_ReleaseDate": "2019-01-03", "Modification_Comment": "updated Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-09-19", "Modification_Version": "3.4", "Modification_ReleaseDate": "2019-09-19", "Modification_Comment": "updated Demonstrative_Examples, Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Applicable_Platforms, Description, Name, Observed_Examples, References, Relationships, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-12-10", "Modification_Version": "4.3", "Modification_ReleaseDate": "2020-12-10", "Modification_Comment": "updated Potential_Mitigations, Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-07-20", "Modification_Version": "4.5", "Modification_ReleaseDate": "2021-07-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-09-09", "Modification_Version": "4.18", "Modification_ReleaseDate": "2025-09-09", "Modification_Comment": "updated Common_Consequences, Description, Diagram, Other_Notes, References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Applicable_Platforms, Relationships"}], "Contribution": {"@Type": "Feedback", "Contribution_Name": "Nick Johnston", "Contribution_Date": "2022-07-11", "Contribution_Comment": "Identified incorrect language tag in demonstrative example."}, "Previous_Entry_Name": [{"@Date": "2009-01-12", "#text": "Error Message Information Leaks"}, {"@Date": "2009-12-28", "#text": "Error Message Information Leak"}, {"@Date": "2020-02-24", "#text": "Information Exposure Through an Error Message"}]}}
