CWE•Base•Draft•5 recent CVEs

CWE-202Exposure of Sensitive Information Through Data Queries

Description

When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.

Common consequences

Confidentiality→Read Files or Directories,Read Application Data
Sensitive information may possibly be leaked through data queries accidentally.

Potential mitigations

Architecture and Design
This is a complex topic. See the [REF-1492] for a good discussion of best practices.

Recent CVEs classified under this CWE

CVE-2026-427974.92026-05-25 CVE-2026-35465.32026-03-21 CVE-2024-64007.52024-10-04 CVE-2024-20888.52024-05-22 CVE-2023-70727.52024-03-12

Description

Common consequences

Potential mitigations

Related CWEs

Recent CVEs classified under this CWE