BaseDraft
CWE-209Generation of Error Message Containing Sensitive Information
Category: data-exposure
Description
The product generates an error message that includes sensitive information about its environment, users, or associated data.
Common consequences· 1
- Confidentiality — Read Application DataOften this will either reveal sensitive information which may be used to launch another, more focused attack or disclose private information stored in the server. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In turn, this could be used to select the proper number of ".." sequences to navigate to the targeted file. An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query.
Potential mitigations· 5
- [Implementation]
- [Implementation]Handle exceptions internally and do not display errors containing potentially sensitive information to a user.
- [Implementation]Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
- [Implementation, Build and Compilation]Debugging information should not make its way into a production release.
- [Implementation, Build and Compilation]Debugging information should not make its way into a production release.
Related CAPEC attack patterns· 4
References
Exploits (incoming)4
| Type | Target | Confidence | Tier |
|---|---|---|---|
| AttackPattern | Padding Oracle Crypto Attackcapec-463 | 100% | live |
| AttackPattern | Fuzzing for application mappingcapec-215 | 100% | live |
| AttackPattern | Query System for Informationcapec-54 | 100% | live |
| AttackPattern | Blind SQL Injectioncapec-7 | 100% | live |
Compliance frameworks addressing this (incoming)1
| Type | Target | Confidence | Tier |
|---|---|---|---|
| ComplianceControl | owasp_api_top10-api09 | 100% | live |
(incoming)8
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Vulnerability | CVE-2025-1395cve-2025-1395 | 0% | live |
| Vulnerability | CVE-2025-31998cve-2025-31998 | 0% | live |
| Vulnerability | CVE-2025-46658cve-2025-46658 | 0% | live |
| Vulnerability | Wing FTP Server Information Disclosure Vulnerabilitycve-2025-47813 | 0% | live |
| Vulnerability | CVE-2025-68110cve-2025-68110 | 0% | live |
| Vulnerability | CVE-2026-34045cve-2026-34045 | 0% | live |
| KEVEntry | Microsoft .NET Framework Information Disclosure Vulnerabilitykev-cve-2024-29059 | 0% | live |
| KEVEntry | Wing FTP Server Information Disclosure Vulnerabilitykev-cve-2025-47813 | 0% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.