CWE-202: Exposure of Sensitive Information Through Data Queries
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
When trying to keep information confidential, an attacker can often infer some of the information by using statistics.
扩展描述
In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.
常见后果
影响范围: Confidentiality
技术影响: Read Files or Directories Read Application Data
说明: Sensitive information may possibly be leaked through data queries accidentally.
潜在缓解措施
阶段: Architecture and Design
描述: This is a complex topic. See the book Translucent Databases for a good discussion of best practices.
观察示例
参考: CVE-2022-41935
Wiki product allows an adversary to discover filenames via a series of queries starting with one letter and then iteratively extending the match.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CLASP | - | Accidental leaking of sensitive information through data queries | - |