CWE-540: Inclusion of Sensitive Information in Source Code
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.
扩展描述
There are situations where it is critical to remove source code from an area or server. For example, obtaining Perl source code on a system allows an attacker to understand the logic of the script and extract extremely useful information such as code bugs or logins and passwords.
常见后果
影响范围: Confidentiality
技术影响: Read Application Data
潜在缓解措施
阶段: Architecture and Design System Configuration
描述: Recommendations include removing this script from the web server and moving it to a location not accessible from the Internet.
观察示例
参考: CVE-2022-25512
Server for Team Awareness Kit (TAK) application includes sensitive tokens in the JavaScript source code.
参考: CVE-2022-24867
The LDAP password might be visible in the html code of a rendered page in an IT Asset Management tool.
参考: CVE-2007-6197
Version numbers and internal hostnames leaked in HTML comments.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |