970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 1–50 of 72 in Data Exposure · page 1 of 2
| ID | Title | Summary |
|---|---|---|
| CWE-1004 | Sensitive Cookie Without 'HttpOnly' Flag | The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. |
| CWE-1230 | Exposure of Sensitive Information Through Metadata | The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from t… |
| CWE-1233 | Security-Sensitive Hardware Controls with Missing Lock Bit Protection | The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that … |
| CWE-1243 | Sensitive Non-Volatile Information Not Protected During Debug | Access to security-sensitive information stored in fuses is not limited during debug. |
| CWE-1248 | Semiconductor Defects in Hardware Logic with Security-Sensitive Implications | The security-sensitive hardware module contains semiconductor defects. |
| CWE-1258 | Exposure of Sensitive System Information Due to Uncleared Debug Information | The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered. |
| CWE-1266 | Improper Scrubbing of Sensitive Data from Decommissioned Device | The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbi… |
| CWE-1272 | Sensitive Information Uncleared Before Debug/Power State Transition | The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to infor… |
| CWE-1275 | Sensitive Cookie with Improper SameSite Attribute | The SameSite attribute for sensitive cookies is not set, or an insecure value is used. The SameSite attribute controls how cookies are sent for cross-domain r… |
| CWE-1323 | Improper Management of Sensitive Trace Data | Trace data collected from several sources on the System-on-Chip (SoC) is stored in unprotected locations or transported to untr… |
| CWE-1324 | DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface | This entry has been deprecated because it was at a lower level of abstraction than supported by CWE. All relevant content has been integrated into CWE-319. |
| CWE-1342 | Information Exposure through Microarchitectural State after Transient Execution | The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution. |
| CWE-1420 | Exposure of Sensitive Information during Transient Execution | A processor event or prediction may allow incorrect operations (or correct operations with incorrect data) to execute transiently, potentially exposing data ov… |
| CWE-1421 | Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution | A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microa… |
| CWE-1422 | Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution | A processor event or prediction may allow incorrect or stale data to be forwarded to transient operations, potentially exposing data over a covert chan… |
| CWE-1423 | Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution | Shared microarchitectural predictor state may allow code to influence transient execution across a hardware boundary, potentially exposing data that is… |
| CWE-201 | Insertion of Sensitive Information Into Sent Data | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
| CWE-202 | Exposure of Sensitive Information Through Data Queries | When trying to keep information confidential, an attacker can often infer some of the information by using statistics. In situations where data should not be … |
| CWE-209 | Generation of Error Message Containing Sensitive Information | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
| CWE-210 | Self-generated Error Message Containing Sensitive Information | The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information. |
| CWE-211 | Externally-Generated Error Message Containing Sensitive Information | The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an… |
| CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer | The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product ma… |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded… |
| CWE-214 | Invocation of Process Using Visible Sensitive Information | A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating syste… |
| CWE-215 | Insertion of Sensitive Information Into Debugging Code | The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production. When d… |
| CWE-219 | Storage of File with Sensitive Data Under Web Root | The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties. Besi… |
| CWE-220 | Storage of File With Sensitive Data Under FTP Root | The product stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties. |
| CWE-226 | Sensitive Information in Resource Not Removed Before Reuse | The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contain… |
| CWE-311 | Missing Encryption of Sensitive Data | The product does not encrypt sensitive or critical information before storage or transmission. |
| CWE-312 | Cleartext Storage of Sensitive Information | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
| CWE-313 | Cleartext Storage in a File or on Disk | The product stores sensitive information in cleartext in a file, or on disk. The sensitive information could be read by attackers with access to the file, or … |
| CWE-314 | Cleartext Storage in the Registry | The product stores sensitive information in cleartext in the registry. Attackers can read the information by accessing the registry key. Even if the informati… |
| CWE-315 | Cleartext Storage of Sensitive Information in a Cookie | The product stores sensitive information in cleartext in a cookie. Attackers can use widely-available tools to view the cookie and read the sensitive informat… |
| CWE-316 | Cleartext Storage of Sensitive Information in Memory | The product stores sensitive information in cleartext in memory. |
| CWE-317 | Cleartext Storage of Sensitive Information in GUI | The product stores sensitive information in cleartext within the GUI. An attacker can often obtain data from a GUI, even if hidden, by using an API to directl… |
| CWE-318 | Cleartext Storage of Sensitive Information in Executable | The product stores sensitive information in cleartext in an executable. Attackers can reverse engineer binary code to obtain secret data. This is especially e… |
| CWE-319 | Cleartext Transmission of Sensitive Information | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
| CWE-323 | Reusing a Nonce, Key Pair in Encryption | Nonces should be used for the present occasion and only once. |
| CWE-326 | Inadequate Encryption Strength | The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection req… |
| CWE-402 | Transmission of Private Resources into a New Sphere ('Resource Leak') | The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product. |
| CWE-403 | Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') | A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those … |
| CWE-432 | Dangerous Signal Handler not Disabled During Sensitive Operations | The product uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invok… |
| CWE-492 | Use of Inner Class Containing Sensitive Data | Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers. … |
| CWE-498 | Cloneable Class Containing Sensitive Information | The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class. Cloneable classes are effective… |
| CWE-499 | Serializable Class Containing Sensitive Data | The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through … |
| CWE-5 | J2EE Misconfiguration: Data Transmission Without Encryption | Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext o… |
| CWE-524 | Use of Cache Containing Sensitive Information | The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere. Applications may… |
| CWE-525 | Use of Web Browser Cache Containing Sensitive Information | The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached. |
| CWE-526 | Cleartext Storage of Sensitive Information in an Environment Variable | The product uses an environment variable to store unencrypted sensitive information. Information stored in an environment variable can be accessible by other … |
| CWE-531 | Inclusion of Sensitive Information in Test Code | Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would eve… |