| Name |
Lifting Sensitive Data Embedded in Cache |
|
| Likelyhood of attack |
Typical severity |
| High |
Medium |
|
| Summary |
An attacker examines a target application's cache for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information. |
| Prerequisites |
The target application must store sensitive information in a cache. The cache must be inadequately protected against attacker access. |
| Solutions | |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-311 |
Missing Encryption of Sensitive Data |
| CWE-524 |
Use of Cache Containing Sensitive Information |
| CWE-1239 |
Improper Zeroization of Hardware Register |
| CWE-1258 |
Exposure of Sensitive System Information Due to Uncleared Debug Information |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-167 |
An attacker discovers the structure, function, and composition of a type of computer software through white box analysis techniques. White box techniques involve methods which can be applied to a piece of software when an executable or some other compiled object can be directly subjected to analysis, revealing at least a portion of its machine instructions that can be observed upon execution. |
|