BaseIncomplete

CWE-1266Improper Scrubbing of Sensitive Data from Decommissioned Device

Category: data-exposure

Description

The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect.

Common consequences· 1

  • Confidentiality — Read Memory

Potential mitigations· 3

  • [Architecture and Design]
  • [Policy]
  • [Implementation]

Related CAPEC attack patterns· 5

CAPEC-150CAPEC-37CAPEC-545CAPEC-546CAPEC-675

References

  1. https://cwe.mitre.org/data/definitions/1266.html

Exploits (incoming)5

TypeTargetConfidenceTier
AttackPatternPull Data from System Resourcescapec-545100%live
AttackPatternRetrieve Data from Decommissioned Devicescapec-675100%live
AttackPatternIncomplete Data Deletion in a Multi-Tenant Environmentcapec-546100%live
AttackPatternCollect Data from Common Resource Locationscapec-150100%live
AttackPatternRetrieve Embedded Sensitive Datacapec-37100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Insufficient or Incomplete Data Removal within Hardware Component
CWE
Improper Removal of Sensitive Information Before Storage or Transfer
CWE
Sensitive Information in Resource Not Removed Before Reuse
CWE
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CWE
Cleartext Storage of Sensitive Information in Memory
CWE
Unprotected Confidential Information on Device is Accessible by OSAT Vendors
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.