CWE-1266: Improper Scrubbing of Sensitive Data from Decommissioned Device
When a product is decommissioned - i.e., taken out of service - best practices or regulatory requirements may require the administrator to remove or overwrite sensitive data first, i.e. "scrubbing." Improper scrubbing of sensitive data from a decommissioned device leaves that data vulnerable to acquisition by a malicious actor. Sensitive data may include, but is not limited to, device/manufacturer proprietary information, user/device credentials, network configurations, and other forms of sensitive data.
Modes of Introduction
Phase | Note |
---|---|
Architecture and Design | |
Policy | |
Implementation |
Applicable Platforms
Type | Class | Name | Prevalence |
---|---|---|---|
Language | Not Language-Specific | ||
Operating_system | Not OS-Specific | ||
Architecture | Not Architecture-Specific | ||
Technology | Not Technology-Specific |
Common Attack Pattern Enumeration and Classification (CAPEC)
The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
CAPEC at Mitre.org# ID | Name | Weaknesses |
---|---|---|
CAPEC-37 | Retrieve Embedded Sensitive Data | CWE-1266 |
CAPEC-150 | Collect Data from Common Resource Locations | CWE-1266 |
CAPEC-545 | Pull Data from System Resources | CWE-1266 |
CAPEC-546 | Incomplete Data Deletion in a Multi-Tenant Environment | CWE-1266 |
CAPEC-675 | Retrieve Data from Decommissioned Devices | CWE-1266 |