BaseDraft

CWE-201Insertion of Sensitive Information Into Sent Data

Category: data-exposure

Description

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Common consequences· 1

  • Confidentiality — Read Files or Directories, Read Memory, Read Application Data
    Sensitive data may be exposed to attackers.

Potential mitigations· 4

  • [Requirements]Specify which data in the software should be regarded as sensitive. Consider which types of users should have access to which types of data.
  • [Implementation]Ensure that any possibly sensitive data specified in the requirements is verified with designers to ensure that it is either a calculated risk or mitigated elsewhere. Any information that is not necessary to the functionality should be removed in order to lower both the overhead and the possibility of security sensitive data being sent.
  • [System Configuration]Setup default error messages so that unexpected errors do not disclose sensitive information.
  • [Architecture and Design]

Related CAPEC attack patterns· 9

CAPEC-12CAPEC-217CAPEC-612CAPEC-613CAPEC-618CAPEC-619CAPEC-621CAPEC-622CAPEC-623

References

  1. https://cwe.mitre.org/data/definitions/201.html

Exploits (incoming)9

TypeTargetConfidenceTier
AttackPatternCellular Broadcast Message Requestcapec-618100%live
AttackPatternExploiting Incorrectly Configured SSL/TLScapec-217100%live
AttackPatternSignal Strength Trackingcapec-619100%live
AttackPatternCompromising Emanations Attackcapec-623100%live
AttackPatternWiFi MAC Address Trackingcapec-612100%live
AttackPatternChoosing Message Identifiercapec-12100%live
AttackPatternAnalysis of Packet Timing and Sizescapec-621100%live
AttackPatternWiFi SSID Trackingcapec-613100%live
AttackPatternElectromagnetic Side-Channel Attackcapec-622100%live

Compliance frameworks addressing this (incoming)2

TypeTargetConfidenceTier
ComplianceControlowasp_llm_top10-llm07100%live
ComplianceControlcis_v8-3100%live

(incoming)8

TypeTargetConfidenceTier
VulnerabilityCVE-2025-3529cve-2025-35290%live
VulnerabilityCVE-2025-47775cve-2025-477750%live
VulnerabilityCVE-2025-48749cve-2025-487490%live
VulnerabilityCVE-2025-49408cve-2025-494080%live
VulnerabilityCVE-2025-58098cve-2025-580980%live
VulnerabilityCVE-2026-39912cve-2026-399120%live
VulnerabilityCVE-2026-4525cve-2026-45250%live
VulnerabilityCVE-2026-5483cve-2026-54830%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Exposure of Sensitive Information to an Unauthorized Actor
CWE
Improper Removal of Sensitive Information Before Storage or Transfer
CWE
Exposure of Sensitive Information Due to Incompatible Policies
CWE
Insertion of Sensitive Information Into Debugging Code
CWE
Insertion of Sensitive Information into Externally-Accessible File or Directory
CWE
Use of HTTP Request With Sensitive Query String
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.