Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-201 (通过发送数据的信息暴露) — Vulnerability Class 285

285 vulnerabilities classified as CWE-201 (通过发送数据的信息暴露). AI Chinese analysis included.

CWE-201 represents an information exposure weakness where software inadvertently transmits sensitive data to unauthorized external actors. This vulnerability typically arises when developers fail to sanitize output streams, allowing credentials, personal identifiable information, or internal system states to leak through network logs, error messages, or API responses. Attackers exploit this by intercepting traffic or analyzing server-side feedback to harvest critical secrets, facilitating further unauthorized access or identity theft. To mitigate this risk, developers must implement strict data filtering and validation protocols before transmission. Utilizing secure logging frameworks that mask sensitive fields, employing encryption for data in transit, and conducting regular code reviews to identify accidental data leaks are essential practices. Ensuring that only necessary, non-sensitive information is shared with external entities significantly reduces the attack surface and protects user privacy.

MITRE CWE Description
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Common Consequences (1)
ConfidentialityRead Files or Directories, Read Memory, Read Application Data
Sensitive data may be exposed to attackers.
Mitigations (4)
RequirementsSpecify which data in the software should be regarded as sensitive. Consider which types of users should have access to which types of data.
ImplementationEnsure that any possibly sensitive data specified in the requirements is verified with designers to ensure that it is either a calculated risk or mitigated elsewhere. Any information that is not necessary to the functionality should be removed in order to lower both the overhead and the possibility of security sensitive data being sent.
System ConfigurationSetup default error messages so that unexpected errors do not disclose sensitive information.
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
Examples (1)
The following is an actual MySQL error statement:
Warning: mysql_pconnect(): Access denied for user: 'root@localhost' (Using password: N1nj4) in /usr/local/www/wi-data/includes/database.inc on line 4
Result · SQL
CVE IDTitleCVSSSeverityPublished
CVE-2020-27132 Cisco Jabber Desktop and Mobile Client Software Vulnerabilities — Cisco Jabber 9.9 Critical2020-12-11
CVE-2020-27127 Cisco Jabber Desktop and Mobile Client Software Vulnerabilities — Cisco Jabber 9.9 Critical2020-12-11
CVE-2020-25703 Moodle 信息泄露漏洞 — moodle 5.3 -2020-11-19
CVE-2020-14514 Trailer Power Line Communications vulnerability — Trailer Power Line Communications 4.3 Medium2020-09-01
CVE-2020-13597 Calico nodes IPv6 traffic redirection from route advertisment — Calico 6.0 Medium2020-06-03
CVE-2020-5364 Dell EMC Isilon OneFS 信息泄露漏洞 — Isilon OneFS 5.3 Medium2020-05-20
CVE-2020-1774 Information disclosure — ((OTRS)) Community Edition 4.5 Medium2020-04-28
CVE-2020-1770 Information disclosure in support bundle files — ((OTRS)) Community Edition 2.4 Low2020-03-27
CVE-2019-15580 GitLab 信息泄露漏洞 — gitlab.com 7.5 -2019-12-18
CVE-2019-14849 Red Hat 3scale 跨站脚本漏洞 — 3scale 5.4 -2019-12-12
CVE-2018-17245 Elasticsearch Kibana 安全漏洞 — Kibana 9.1 -2018-12-20
CVE-2017-2582 Red Hat Picketlink和KeyCloak 信息泄露漏洞 — keycloak 7.5 -2018-07-26
CVE-2017-16026 Request 安全漏洞 — request node module 5.9 -2018-06-04
CVE-2016-10518 ws模块安全漏洞 — ws node module 9.1 -2018-05-31
CVE-2016-10519 bittorrent-dht 安全漏洞 — bittorrent-dht node module 7.5 -2018-05-31

Vulnerabilities classified as CWE-201 (通过发送数据的信息暴露) represent 285 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.