CWE-213: Exposure of Sensitive Information Due to Incompatible Policies
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.
常见后果
影响范围: Confidentiality
技术影响: Read Application Data
观察示例
参考: CVE-2002-1725
Script calls phpinfo()
参考: CVE-2004-0033
Script calls phpinfo()
参考: CVE-2003-1181
Script calls phpinfo()
参考: CVE-2004-1422
Script calls phpinfo()
参考: CVE-2004-1590
Script calls phpinfo()
参考: CVE-2003-1038
Product lists DLLs and full pathnames.
参考: CVE-2005-1205
Telnet protocol allows servers to obtain sensitive environment information from clients.
参考: CVE-2005-0488
Telnet protocol allows servers to obtain sensitive environment information from clients.
引入模式
| 阶段 | 说明 |
|---|---|
| Policy | This can occur when the product's policy does not account for all relevant stakeholders, or when the policies of other stakeholders are not interpreted properly. |
| Requirements | This can occur when requirements do not explicitly account for all relevant stakeholders. |
| Architecture and Design | Communications or data exchange frameworks may be chosen that exchange or provide access to more information than strictly needed. |
| Implementation | This can occur when the developer does not properly track the flow of sensitive information and how it is exposed, e.g., via an API. |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Intended information leak | - |