QwikSec

Security Database

CVE

CWE

Training

CWE Database
/

CWE-202

Back to CWE list

CWE-202

Exposure of Sensitive Information Through Data Queries

Base
Draft

Description

When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.

Common Consequences

Scope

Confidentiality

Impact

Read Files or Directories, Read Application Data

Potential Mitigations

Architecture and Design

This is a complex topic. See the [REF-1492] for a good discussion of best practices.

CVE-2022-41935

Wiki product allows an adversary to discover filenames via a series of queries starting with one letter and then iteratively extending the match.

Applicable Platforms

Not Language-Specific

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now