1. Home
  2. Weaknesses
  3. CWE-209

CWE-209: Generation of Error Message Containing Sensitive Information

ID CWE-209
Abstraction Base
Structure Simple
Status Draft
Number of CVEs 341
Detail CAPEC Dashboard Vulnerabilities Web & Social
The product generates an error message that includes sensitive information about its environment, users, or associated data.

The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more serious attacks. The error message may be created in different ways:

  • self-generated: the source code explicitly constructs the error message and delivers it
  • externally-generated: the external environment, such as a language interpreter, handles the error and constructs its own message, whose contents are not under direct control by the programmer

An attacker may use the contents of error messages to help launch another, more focused attack. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In turn, this could be used to select the proper number of ".." sequences to navigate to the targeted file. An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query.

Modes of Introduction

Phase Note
Architecture and Design
Implementation REALIZATION: This weakness is caused during implementation of an architectural security tactic.
System Configuration
Operation

Applicable Platforms

Type Class Name Prevalence
Language PHP
Language Java
Language Not Language-Specific

Relationships

View Weakness
# ID View Status # ID Name Abstraction Structure Status
CWE-1000 Research Concepts Draft CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Class Simple Draft
CWE-1003 Weaknesses for Simplified Mapping of Published Vulnerabilities Incomplete CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Class Simple Draft
CWE-1000 Research Concepts Draft CWE-755 Improper Handling of Exceptional Conditions Class Simple Incomplete

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org
# ID Name Weaknesses
CAPEC-7 Blind SQL Injection CWE-209
CAPEC-54 Query System for Information CWE-209
CAPEC-215 Fuzzing for application mapping CWE-209
CAPEC-463 Padding Oracle Crypto Attack CWE-209

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date