Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that

can become vulnerabilities

Home About ▼ CWE List ▼ Mapping ▼ Top-N Lists ▼ Community ▼ News ▼ Search

CWE-209: Generation of Error Message Containing Sensitive Information

Weakness ID: 209
Vulnerability Mapping: ALLOWED
Abstraction: Base

Mapping
View customized information: Conceptual Operational Complete Custom
Friendly

Description
The product generates an error message that includes sensitive information about its environment, users, or associated data.
Extended Description
The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching
other, more serious attacks. The error message may be created in different ways:

self-generated: the source code explicitly constructs the error message and delivers it
externally-generated: the external environment, such as a language interpreter, handles the error and constructs its
own message, whose contents are not under direct control by the programmer

An attacker may use the contents of error messages to help launch another, more focused attack. For example, an attempt to
exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In turn, this could be
used to select the proper number of ".." sequences to navigate to the targeted file. An attack using SQL injection (CWE-89)
might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and
possibly even passwords or other sensitive information used within the query.
Relationships
Relevant to the view "Research Concepts" (CWE-1000)
Nature Type ID Name
ChildOf 755 Improper Handling of Exceptional Conditions
ChildOf 200 Exposure of Sensitive Information to an Unauthorized Actor
ParentOf 210 Self-generated Error Message Containing Sensitive Information
ParentOf 211 Externally-Generated Error Message Containing Sensitive Information
ParentOf 550 Server-generated Error Message Containing Sensitive Information
PeerOf 1295 Debug Messages Revealing Unnecessary Information
CanFollow 600 Uncaught Exception in Servlet
CanFollow 756 Missing Custom Error Page

Relevant to the view "Software Development" (CWE-699)

Nature Type ID Name
MemberOf 199 Information Management Errors
MemberOf 389 Error Conditions, Return Values, Status Codes

Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (CWE-1003)
Relevant to the view "Architectural Concepts" (CWE-1008)
Memberships

Nature Type ID Name

MemberOf 717 OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling
MemberOf 728 OWASP Top Ten 2004 Category A7 - Improper Error Handling
MemberOf 731 OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
MemberOf 751 2009 Top 25 - Insecure Interaction Between Components
MemberOf 801 2010 Top 25 - Insecure Interaction Between Components
MemberOf 815 OWASP Top Ten 2010 Category A6 - Security Misconfiguration
MemberOf 851 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 8 - Exceptional
Behavior (ERR)
MemberOf 867 2011 Top 25 - Weaknesses On the Cusp
MemberOf 880 CERT C++ Secure Coding Section 12 - Exceptions and Error Handling (ERR)
MemberOf 884 CWE Cross-section
MemberOf 933 OWASP Top Ten 2013 Category A5 - Security Misconfiguration
MemberOf 963 SFP Secondary Cluster: Exposed Data
MemberOf 1032 OWASP Top Ten 2017 Category A6 - Security Misconfiguration
MemberOf 1348 OWASP Top Ten 2021 Category A04:2021 - Insecure Design
MemberOf 1417 Comprehensive Categorization: Sensitive Information Exposure

Vulnerability Mapping Notes

Usage: ALLOWED (this CWE ID could be used to map to real-world vulnerabilities)

 Reason: Acceptable-Use

Rationale:

This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes
of vulnerabilities.
Comments:

Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a
mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Taxonomy Mappings

Mapped Taxonomy Name Node ID Fit Mapped Node Name

CLASP Accidental leaking of sensitive information through
error messages
OWASP Top Ten 2007 A6 CWE More Information Leakage and Improper Error Handling
Specific
OWASP Top Ten 2004 A7 CWE More Improper Error Handling
Specific
OWASP Top Ten 2004 A10 CWE More Insecure Configuration Management
Specific
The CERT Oracle Secure Coding ERR01-J Do not allow exceptions to expose sensitive
Standard for Java (2011) information
Software Fault Patterns SFP23 Exposed Data

Related Attack Patterns

CAPEC-ID Attack Pattern Name

CAPEC-215 Fuzzing for application mapping
CAPEC-463 Padding Oracle Crypto Attack
CAPEC-54 Query System for Information
CAPEC-7 Blind SQL Injection

Content History

Submissions
Submission Date Submitter Organization
2006-07-19 CLASP
(CWE Draft 3, 2006-07-19)
Contributions
Contribution Date Contributor Organization
2022-07-11 Nick Johnston
Identified incorrect language tag in demonstrative example.
Modifications
Previous Entry Names