目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-209 通过错误消息导致的信息暴露 类漏洞列表 297

CWE-209 通过错误消息导致的信息暴露 类弱点 297 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-209属于信息泄露漏洞,指软件在生成错误消息时意外包含敏感的环境、用户或数据信息。攻击者通常利用这些详细的错误堆栈或路径信息,识别系统架构、数据库结构或用户身份,从而辅助后续更精准的定向攻击。开发者应避免在生产环境中暴露内部细节,通过配置统一的通用错误页面、过滤敏感字段及记录日志而非直接展示,来防止敏感数据外泄。

MITRE CWE 官方描述
CWE:CWE-209 生成包含敏感信息的错误消息 (Generation of Error Message Containing Sensitive Information) 英文:产品生成的错误消息 (error message) 包含了关于其环境、用户或关联数据的敏感信息 (sensitive information)。
常见影响 (1)
ConfidentialityRead Application Data
Often this will either reveal sensitive information which may be used to launch another, more focused attack or disclose private information stored in the server. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In tur…
缓解措施 (5)
ImplementationEnsure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or…
ImplementationHandle exceptions internally and do not display errors containing potentially sensitive information to a user.
ImplementationUse naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Effectiveness: Defense in Depth
Implementation, Build and CompilationDebugging information should not make its way into a production release.
Implementation, Build and CompilationDebugging information should not make its way into a production release.
代码示例 (2)
In the following example, sensitive information might be printed depending on the exception that occurs.
try { /.../ } catch (Exception e) { System.out.println(e); }
Bad · Java
This code tries to open a database connection, and prints any exceptions that occur.
try { openDbConnection(); } //print exception message that includes exception message and configuration file location catch (Exception $e) { echo 'Caught exception: ', $e->getMessage(), '\n'; echo 'Check credentials in config file at: ', $Mysql_config_location, '\n'; }
Bad · PHP
CVE ID标题CVSS风险等级Published
CVE-2025-31141 JetBrains TeamCity 安全漏洞 — TeamCity 2.7 Low2025-03-27
CVE-2024-12380 GitLab EE/CE 安全漏洞 — GitLab 4.4 Medium2025-03-13
CVE-2025-2239 Hillstone Next Generation FireWall 安全漏洞 — Hillstone Next Generation FireWall 5.3 Medium2025-03-12
CVE-2025-23185 SAP Business Objects Business Intelligence Platform 安全漏洞 — SAP Business Objects Business Intelligence Platform 4.1 Medium2025-03-11
CVE-2025-20002 Apollo 安全漏洞 — Apollo 5.3 Medium2025-03-05
CVE-2024-56810 IBM EntireX 安全漏洞 — EntireX 3.3 Low2025-02-27
CVE-2024-56496 IBM EntireX 安全漏洞 — EntireX 3.3 Low2025-02-27
CVE-2024-56495 IBM EntireX 安全漏洞 — EntireX 3.3 Low2025-02-27
CVE-2024-56811 IBM EntireX 安全漏洞 — EntireX 3.3 Low2025-02-27
CVE-2024-56493 IBM EntireX 安全漏洞 — EntireX 3.3 Low2025-02-27
CVE-2024-56494 IBM EntireX 安全漏洞 — EntireX 3.3 Low2025-02-27
CVE-2024-56812 IBM EntireX 安全漏洞 — EntireX 3.3 Low2025-02-27
CVE-2025-0941 Beckman Coulter MET ONE 3400+ instruments running software 安全漏洞 — MET ONE 3400+ 5.8 Medium2025-02-26
CVE-2024-13537 WordPress plugin C9 Blocks 安全漏洞 — C9 Blocks 5.3 Medium2025-02-21
CVE-2024-13535 WordPress plugin Actionwear products sync 安全漏洞 — Actionwear products sync 5.3 Medium2025-02-18
CVE-2024-13540 WordPress plugin WooODT Lite 安全漏洞 — WooODT Lite – Delivery & pickup date time location for WooCommerce 5.3 Medium2025-02-18
CVE-2024-13538 WordPress plugin BigBuy Dropshipping Connector for WooCommerce 安全漏洞 — BigBuy Dropshipping Connector for WooCommerce 5.3 Medium2025-02-18
CVE-2024-13539 WordPress plugin AForms Eats 安全漏洞 — AForms Eats 5.3 Medium2025-02-12
CVE-2024-52611 SolarWinds Platform 安全漏洞 — SolarWinds Platform 3.5 Low2025-02-11
CVE-2024-56467 IBM EntireX 安全漏洞 — EntireX 3.3 Low2025-02-06
CVE-2024-49798 IBM ApplinX 安全漏洞 — ApplinX 4.3 Medium2025-02-05
CVE-2024-45658 IBM Security Verify Access 安全漏洞 — Security Verify Access Appliance 2.7 Low2025-02-04
CVE-2024-45659 IBM Security Verify Access 安全漏洞 — Security Verify Access Appliance 5.3 Medium2025-02-04
CVE-2025-23216 Argo CD 安全漏洞 — argo-cd 6.8 Medium2025-01-30
CVE-2024-35134 IBM Analytics Content Hub 安全漏洞 — Analytics Content Hub 5.3 Medium2025-01-25
CVE-2023-38713 IBM Cloud Pak System 安全漏洞 — Cloud Pak System 5.3 Medium2025-01-25
CVE-2023-38714 IBM Cloud Pak System 安全漏洞 — Cloud Pak System 5.3 Medium2025-01-25
CVE-2023-38716 IBM Cloud Pak System 安全漏洞 — Cloud Pak System 5.3 Medium2025-01-25
CVE-2024-35111 IBM Control Center 安全漏洞 — Control Center 4.3 Medium2025-01-25
CVE-2025-24552 WordPress plugin Paytium 安全漏洞 — Paytium 5.3 Medium2025-01-24

CWE-209(通过错误消息导致的信息暴露) 是常见的弱点类别,本平台收录该类弱点关联的 297 条 CVE 漏洞。