CWE-209
AllowedGeneration of Error Message Containing Sensitive Information
Abstraction: Base · Status: Draft
The product generates an error message that includes sensitive information about its environment, users, or associated data.
833 vulnerabilities reference this CWE, most recent first.
GHSA-347P-RFHX-H7FF
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2022-12-07 21:30IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. IBM X-Force ID: 163177.
{
"affected": [],
"aliases": [
"CVE-2019-4441"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-03T14:15:00Z",
"severity": "MODERATE"
},
"details": "IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. IBM X-Force ID: 163177.",
"id": "GHSA-347p-rfhx-h7ff",
"modified": "2022-12-07T21:30:29Z",
"published": "2022-05-24T16:57:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4441"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/163177"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/959023"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-35HG-HHVC-V35W
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09IBM i2 Analyst's Notebook Premium (IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2) could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 196341.
{
"affected": [],
"aliases": [
"CVE-2021-20430"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-26T12:15:00Z",
"severity": "MODERATE"
},
"details": "IBM i2 Analyst\u0027s Notebook Premium (IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2) could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 196341.",
"id": "GHSA-35hg-hhvc-v35w",
"modified": "2022-05-24T19:09:13Z",
"published": "2022-05-24T19:09:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20430"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196341"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6474861"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-36HQ-V2FC-RPQP
Vulnerability from github – Published: 2023-08-16 15:30 – Updated: 2023-08-16 21:13Jenkins Folders Plugin displays an error message when attempting to access the Scan Organization Folder Log if no logs are available.
In Folders Plugin 6.846.v23698686f0f6 and earlier, this error message includes the absolute path of a log file, exposing information about the Jenkins controller file system.
Folders Plugin 6.848.ve3b_fd7839a_81 does not display the absolute path of a log file in the error message.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:cloudbees-folder"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.848.ve3b"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-40338"
],
"database_specific": {
"cwe_ids": [
"CWE-209",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-16T21:13:57Z",
"nvd_published_at": "2023-08-16T15:15:11Z",
"severity": "MODERATE"
},
"details": "Jenkins Folders Plugin displays an error message when attempting to access the Scan Organization Folder Log if no logs are available.\n\nIn Folders Plugin 6.846.v23698686f0f6 and earlier, this error message includes the absolute path of a log file, exposing information about the Jenkins controller file system.\n\nFolders Plugin 6.848.ve3b_fd7839a_81 does not display the absolute path of a log file in the error message.",
"id": "GHSA-36hq-v2fc-rpqp",
"modified": "2023-08-16T21:13:57Z",
"published": "2023-08-16T15:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40338"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3109"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/08/16/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Folders Plugin information disclosure vulnerability"
}
GHSA-3728-546X-W527
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28Trend Micro Antivirus for Mac 2020 (Consumer) contains an Error Message Information Disclosure vulnerability that if exploited, could allow kernel pointers and debug messages to leak to userland.
An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2020-27015"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-30T00:15:00Z",
"severity": "MODERATE"
},
"details": "Trend Micro Antivirus for Mac 2020 (Consumer) contains an Error Message Information Disclosure\u00a0vulnerability\u00a0that if exploited, could allow kernel pointers and debug messages\u00a0to leak to userland.\n\n\n\nAn attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.",
"id": "GHSA-3728-546x-w527",
"modified": "2022-05-24T22:28:06Z",
"published": "2022-05-24T22:28:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27015"
},
{
"type": "WEB",
"url": "https://helpcenter.trendmicro.com/en-us/article/TMKA-09975"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1286"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-37PM-83G7-R22V
Vulnerability from github – Published: 2026-06-19 14:16 – Updated: 2026-06-19 14:16Summary
In affected versions, the OAuth2 token request sends app_id, app_secret,
refresh_token and code as URL query parameters of the POST request to
https://oauth.<domain>/oauth/api/oauth2/token. Request URLs are commonly
recorded in access logs, proxy logs and APM traces, so the application secret
and refresh token can be persisted in plain text outside the application's
control.
In addition, when the token request fails, the Guzzle exception message —
which contains the full request URI including the credentials — was passed
unmodified into the AuthorizationFailedException thrown by
OAuth2::obtainAccessToken(). Applications that log exceptions or forward
them to error trackers (e.g. Sentry) may therefore have recorded the app
secret in their logs.
## Impact
An attacker with access to web server logs, proxy logs, APM tracing data or
application error logs of a consumer of this library can obtain the Canto
app_secret, refresh_token or authorization code and use them to obtain
access tokens for the Canto tenant.
## Patches
Fixed in 3.0.0:
- OAuth credentials are sent in the form-encoded POST body instead of the URL
query string (RFC 6749 §2.3.1).
OAuth2Request::getQueryParams()now returnsnull; the parameters are available viagetFormParams(). - Exception messages are sanitized before being rethrown: the values of
app_secret,refresh_tokenandcodeare masked (including url-encoded, differently cased and JSON-embedded variants).
## Workarounds
If you cannot upgrade:
- Treat web server, proxy and APM logs of systems performing Canto OAuth requests as secret material and restrict access to them.
- Catch
AuthorizationFailedExceptionin your application and strip the query string from the message before logging or forwarding it.
If your logs may have been exposed, rotate the affected Canto app secret.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.0"
},
"package": {
"ecosystem": "Packagist",
"name": "jleehr/canto-saas-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55375"
],
"database_specific": {
"cwe_ids": [
"CWE-209",
"CWE-598"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T14:16:41Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\n In affected versions, the OAuth2 token request sends `app_id`, `app_secret`,\n `refresh_token` and `code` as URL query parameters of the POST request to\n `https://oauth.\u003cdomain\u003e/oauth/api/oauth2/token`. Request URLs are commonly\n recorded in access logs, proxy logs and APM traces, so the application secret\n and refresh token can be persisted in plain text outside the application\u0027s\n control.\n\n In addition, when the token request fails, the Guzzle exception message \u2014\n which contains the full request URI including the credentials \u2014 was passed\n unmodified into the `AuthorizationFailedException` thrown by\n `OAuth2::obtainAccessToken()`. Applications that log exceptions or forward\n them to error trackers (e.g. Sentry) may therefore have recorded the app\n secret in their logs.\n\n ## Impact\n\n An attacker with access to web server logs, proxy logs, APM tracing data or\n application error logs of a consumer of this library can obtain the Canto\n `app_secret`, `refresh_token` or authorization `code` and use them to obtain\n access tokens for the Canto tenant.\n\n ## Patches\n\n Fixed in 3.0.0:\n\n - OAuth credentials are sent in the form-encoded POST body instead of the URL\n query string (RFC 6749 \u00a72.3.1). `OAuth2Request::getQueryParams()` now\n returns `null`; the parameters are available via `getFormParams()`.\n - Exception messages are sanitized before being rethrown: the values of\n `app_secret`, `refresh_token` and `code` are masked (including url-encoded,\n differently cased and JSON-embedded variants).\n\n ## Workarounds\n\n If you cannot upgrade:\n\n - Treat web server, proxy and APM logs of systems performing Canto OAuth\n requests as secret material and restrict access to them.\n - Catch `AuthorizationFailedException` in your application and strip the query\n string from the message before logging or forwarding it.\n\n If your logs may have been exposed, rotate the affected Canto app secret.",
"id": "GHSA-37pm-83g7-r22v",
"modified": "2026-06-19T14:16:41Z",
"published": "2026-06-19T14:16:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jleehr/canto-saas-api/security/advisories/GHSA-37pm-83g7-r22v"
},
{
"type": "PACKAGE",
"url": "https://github.com/jleehr/canto-saas-api"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "canto-saas-api: OAuth credentials exposed in URL query string and exception messages"
}
GHSA-37W2-Q6VH-45V6
Vulnerability from github – Published: 2026-04-28 15:30 – Updated: 2026-05-06 20:00The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks.
Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.grpc:spring-grpc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40969"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T20:00:01Z",
"nvd_published_at": "2026-04-28T15:16:30Z",
"severity": "LOW"
},
"details": "The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks.\n\nAffected versions:\nSpring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.",
"id": "GHSA-37w2-q6vh-45v6",
"modified": "2026-05-06T20:00:01Z",
"published": "2026-04-28T15:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40969"
},
{
"type": "PACKAGE",
"url": "https://github.com/spring-projects/spring-grpc"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2026-40969"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Spring gRPC AuthenticationException messages are reflected to remote client"
}
GHSA-37X5-QPM8-53RQ
Vulnerability from github – Published: 2023-10-16 12:33 – Updated: 2024-05-20 21:57Grafana is an open-source platform for monitoring and observability.
The Google Sheets data source plugin for Grafana, versions 0.9.0 to 1.2.2 are vulnerable to an information disclosure vulnerability.
The plugin did not properly sanitize error messages, making it potentially expose the Google Sheet API-key that is configured for the data source.
This vulnerability was fixed in version 1.2.2.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/google-sheets-datasource"
},
"ranges": [
{
"events": [
{
"introduced": "0.9.0"
},
{
"fixed": "1.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-4457"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-20T23:27:36Z",
"nvd_published_at": "2023-10-16T10:15:12Z",
"severity": "MODERATE"
},
"details": "Grafana is an open-source platform for monitoring and observability.\n\nThe Google Sheets data source plugin for Grafana, versions 0.9.0 to 1.2.2 are vulnerable to an information disclosure vulnerability.\n\nThe plugin did not properly sanitize error messages, making it potentially expose the Google Sheet API-key that is configured for the data source.\n\nThis vulnerability was fixed in version 1.2.2.",
"id": "GHSA-37x5-qpm8-53rq",
"modified": "2024-05-20T21:57:06Z",
"published": "2023-10-16T12:33:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4457"
},
{
"type": "PACKAGE",
"url": "https://github.com/grafana/google-sheets-datasource"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2023-4457"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Google Sheets data source plugin for Grafana information disclosure vulnerability"
}
GHSA-3835-4HMW-PGJ9
Vulnerability from github – Published: 2024-12-25 15:30 – Updated: 2024-12-25 15:30IBM Engineering Lifecycle Optimization - Engineering Insights 7.0.2 and 7.0.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
{
"affected": [],
"aliases": [
"CVE-2024-39725"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-25T14:15:21Z",
"severity": "MODERATE"
},
"details": "IBM Engineering Lifecycle Optimization - Engineering Insights 7.0.2 and 7.0.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.",
"id": "GHSA-3835-4hmw-pgj9",
"modified": "2024-12-25T15:30:42Z",
"published": "2024-12-25T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39725"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7176782"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-388R-W9FG-M2X5
Vulnerability from github – Published: 2026-02-04 21:30 – Updated: 2026-02-04 21:30IBM Cloud Pak System is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
{
"affected": [],
"aliases": [
"CVE-2023-38017"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-04T21:15:56Z",
"severity": "MODERATE"
},
"details": "IBM Cloud Pak System\u00a0is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.",
"id": "GHSA-388r-w9fg-m2x5",
"modified": "2026-02-04T21:30:32Z",
"published": "2026-02-04T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38017"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7254419"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-39JX-3M57-R6QR
Vulnerability from github – Published: 2026-01-23 21:30 – Updated: 2026-01-26 18:31A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public API endpoints, exposing potentially sensitive information useful for further exploitation. This issue is classified under CWE-209: Information Exposure Through an Error Message.
{
"affected": [],
"aliases": [
"CVE-2025-52023"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-23T21:15:50Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public API endpoints, exposing potentially sensitive information useful for further exploitation. This issue is classified under CWE-209: Information Exposure Through an Error Message.",
"id": "GHSA-39jx-3m57-r6qr",
"modified": "2026-01-26T18:31:29Z",
"published": "2026-01-23T21:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52023"
},
{
"type": "WEB",
"url": "https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39"
},
{
"type": "WEB",
"url": "http://aptsys.com"
},
{
"type": "WEB",
"url": "http://gemscms.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
Mitigation
Handle exceptions internally and do not display errors containing potentially sensitive information to a user.
Mitigation MIT-33
Strategy: Attack Surface Reduction
Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Mitigation MIT-40
Strategy: Compilation or Build Hardening
Debugging information should not make its way into a production release.
Mitigation MIT-40
Strategy: Environment Hardening
Debugging information should not make its way into a production release.
Mitigation
Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.
Mitigation
Create default error pages or messages that do not leak any information.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.
CAPEC-463: Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
CAPEC-54: Query System for Information
An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide.
CAPEC-7: Blind SQL Injection
Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.