CWE-1266: Improper Scrubbing of Sensitive Data from Decommissioned Device
When a product is decommissioned - i.e., taken out of service - best practices or regulatory requirements may require the administrator to remove or overwrite sensitive data first, i.e. "scrubbing." Improper scrubbing of sensitive data from a decommissioned device leaves that data vulnerable to acquisition by a malicious actor. Sensitive data may include, but is not limited to, device/manufacturer proprietary information, user/device credentials, network configurations, and other forms of sensitive data.
Modes of Introduction
| Phase | Note |
|---|---|
| Architecture and Design | |
| Policy | |
| Implementation |
Applicable Platforms
| Type | Class | Name | Prevalence |
|---|---|---|---|
| Language | Not Language-Specific | ||
| Operating_system | Not OS-Specific | ||
| Architecture | Not Architecture-Specific | ||
| Technology | Not Technology-Specific |
Common Attack Pattern Enumeration and Classification (CAPEC)
The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
CAPEC at Mitre.org| # ID | Name | Weaknesses |
|---|---|---|
| CAPEC-37 | Retrieve Embedded Sensitive Data | CWE-1266 |
| CAPEC-150 | Collect Data from Common Resource Locations | CWE-1266 |
| CAPEC-545 | Pull Data from System Resources | CWE-1266 |
| CAPEC-546 | Incomplete Data Deletion in a Multi-Tenant Environment | CWE-1266 |
| CAPEC-675 | Retrieve Data from Decommissioned Devices | CWE-1266 |