CWE-209Generation of Error Message Containing Sensitive Information

Description

The product generates an error message that includes sensitive information about its environment, users, or associated data.

Common consequences

• Confidentiality→Read Application Data
  Often this will either reveal sensitive information which may be used to launch another, more focused attack or disclose private information stored in the server. For example, an attempt to exploit a path traversal weakness (CWE-22) might y

Potential mitigations

• Implementation
  [object Object]
• Implementation
  Handle exceptions internally and do not display errors containing potentially sensitive information to a user.
• Implementation
  Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
• Implementation,Build and Compilation
  Debugging information should not make its way into a production release.
• Implementation,Build and Compilation
  Debugging information should not make its way into a production release.
• System Configuration
  Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.
• System Configuration
  Create default error pages or messages that do not leak any information.

Related CWEs

Recent CVEs classified under this CWE