BaseStable

CWE-1272Sensitive Information Uncleared Before Debug/Power State Transition

Category: data-exposure

Description

The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.

Common consequences· 1

  • Confidentiality / Integrity / Availability / Access Control / Accountability / Authentication / Authorization / Non-Repudiation — Read Memory, Read Application Data
    Sensitive information may be used to unlock additional capabilities of the device and take advantage of hidden functionalities which could be used to compromise device security.

Potential mitigations· 1

  • [Architecture and Design, Implementation]During state transitions, information not needed in the next state should be removed before the transition to the next state.

Related CAPEC attack patterns· 4

CAPEC-150CAPEC-37CAPEC-545CAPEC-546

References

  1. https://cwe.mitre.org/data/definitions/1272.html

Exploits (incoming)4

TypeTargetConfidenceTier
AttackPatternRetrieve Embedded Sensitive Datacapec-37100%live
AttackPatternCollect Data from Common Resource Locationscapec-150100%live
AttackPatternPull Data from System Resourcescapec-545100%live
AttackPatternIncomplete Data Deletion in a Multi-Tenant Environmentcapec-546100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Exposure of Sensitive System Information Due to Uncleared Debug Information
CWE
Sensitive Non-Volatile Information Not Protected During Debug
CWE
Uninitialized Value on Reset for Registers Holding Security Settings
CWE
Internal Asset Exposed to Unsafe Debug Access Level or State
CWE
Improper Lock Behavior After Power State Transition
CWE
Information Exposure through Microarchitectural State after Transient Execution
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.