{"@ID": "210", "@Name": "Self-generated Error Message Containing Sensitive Information", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.", "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "209", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Implementation", "Note": "REALIZATION: This weakness is caused during implementation of an architectural security tactic."}]}, "Common_Consequences": {"Consequence": {"Scope": "Confidentiality", "Impact": "Read Application Data"}}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-40", "Phase": ["Implementation", "Build and Compilation"], "Strategy": "Compilation or Build Hardening", "Description": "Debugging information should not make its way into a production release."}, {"@Mitigation_ID": "MIT-40", "Phase": ["Implementation", "Build and Compilation"], "Strategy": "Environment Hardening", "Description": "Debugging information should not make its way into a production release."}]}, "Demonstrative_Examples": {"Demonstrative_Example": {"Intro_Text": "The following code uses custom configuration files for each user in the application. It checks to see if the file exists on the system before attempting to open and use the file. If the configuration file does not exist, then an error is generated, and the application exits.", "Example_Code": {"@Nature": "Bad", "@Language": "Perl", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null, null, null], "xhtml:i": "# avoid CWE-22, CWE-78, others.", "xhtml:div": [{"@style": "margin-left:1em;", "#text": "ExitError(\"Bad hacker!\") ;"}, {"@style": "margin-left:1em;", "#text": "ExitError(\"Error: $filename does not exist\");"}], "#text": "$uname = GetUserInput(\"username\");\n                     \n                     \n                     \n                     if ($uname !~ /^\\w+$/){}\n                     $filename = \"/home/myprog/config/\" . $uname . \".txt\";if (!(-e $filename)){}"}}, "Body_Text": "If this code is running on a server, such as a web application, then the person making the request should not know what the full pathname of the configuration directory is. By submitting a username that is not associated with a configuration file, an attacker could get this pathname from the error message. It could then be used to exploit path traversal, symbolic link following, or other problems that may exist elsewhere in the application."}}, "Observed_Examples": {"Observed_Example": {"Reference": "CVE-2005-1745", "Description": "Infoleak of sensitive information in error message (physical access required).", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-1745"}}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "PLOVER", "Entry_Name": "Product-Generated Error Message Infoleak"}, {"@Taxonomy_Name": "Software Fault Patterns", "Entry_ID": "SFP23", "Entry_Name": "Exposed Data"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-44", "@Section": "\"Sin 12: Information Leakage.\" Page 191"}, {"@External_Reference_ID": "REF-62", "@Section": "Chapter 3, \"Overly Verbose Error Messages\", Page 75"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Relationships, Other_Notes, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-12-28", "Modification_Version": "1.7", "Modification_ReleaseDate": "2009-12-28", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-06-21", "Modification_Version": "1.9", "Modification_ReleaseDate": "2010-06-21", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-03-29", "Modification_Version": "1.12", "Modification_ReleaseDate": "2011-03-30", "Modification_Comment": "updated Name, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Name, Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-06-23", "Modification_Version": "2.7", "Modification_ReleaseDate": "2014-06-23", "Modification_Comment": "updated Other_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Functional_Areas, Modes_of_Introduction, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Name, Relationships, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Weakness_Ordinalities"}], "Previous_Entry_Name": [{"@Date": "2011-03-29", "#text": "Product-Generated Error Message Information Leak"}, {"@Date": "2012-10-30", "#text": "Information Exposure Through Generated Error Message"}, {"@Date": "2020-02-24", "#text": "Information Exposure Through Self-generated Error Message"}]}}
