CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
常见后果
影响范围: Confidentiality
技术影响: Read Files or Directories Read Application Data
说明: Sensitive data may be exposed to an unauthorized actor in another control sphere. This may have a wide range of secondary consequences which will depend on what data is exposed. One possibility is the exposure of system data allowing an attacker to craft a specific, more effective attack.
潜在缓解措施
阶段: Requirements
描述: Clearly specify which information should be regarded as private or sensitive, and require that the product offers functionality that allows the user to cleanse the sensitive information from the resource before it is published or exported to other parties.
阶段: Architecture and Design
策略: Separation of Privilege
阶段: Implementation
策略: Attack Surface Reduction
描述: Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
有效性: Defense in Depth
阶段: Implementation
描述: Avoid errors related to improper resource shutdown or release (CWE-404), which may leave the sensitive data within the resource if it is in an incomplete state.
观察示例
参考: CVE-2019-3733
Cryptography library does not clear heap memory before release
参考: CVE-2005-0406
Some image editors modify a JPEG image, but the original EXIF thumbnail image is left intact within the JPEG. (Also an interaction error).
参考: CVE-2002-0704
NAT feature in firewall leaks internal IP addresses in ICMP error messages.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
| Operation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Cross-Boundary Cleansing Infoleak | - |