Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-209 (通过错误消息导致的信息暴露) — Vulnerability Class 297

297 vulnerabilities classified as CWE-209 (通过错误消息导致的信息暴露). AI Chinese analysis included.

CWE-209 represents a critical information disclosure weakness where software inadvertently exposes sensitive internal details through error messages. This flaw typically occurs when applications return verbose stack traces, database paths, or user-specific data to end-users during failure states. Attackers exploit this by triggering specific errors to gather reconnaissance information, such as server architecture, file structures, or valid user identifiers, which facilitates further targeted attacks like SQL injection or privilege escalation. To mitigate this risk, developers must implement robust error handling mechanisms that separate internal diagnostic logs from user-facing messages. By standardizing generic, non-descriptive error responses for external users while retaining detailed logs for internal debugging, organizations can prevent attackers from leveraging error output to map system vulnerabilities or compromise sensitive data integrity.

MITRE CWE Description
The product generates an error message that includes sensitive information about its environment, users, or associated data.
Common Consequences (1)
ConfidentialityRead Application Data
Often this will either reveal sensitive information which may be used to launch another, more focused attack or disclose private information stored in the server. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In tur…
Mitigations (5)
ImplementationEnsure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or…
ImplementationHandle exceptions internally and do not display errors containing potentially sensitive information to a user.
ImplementationUse naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Effectiveness: Defense in Depth
Implementation, Build and CompilationDebugging information should not make its way into a production release.
Implementation, Build and CompilationDebugging information should not make its way into a production release.
Examples (2)
In the following example, sensitive information might be printed depending on the exception that occurs.
try { /.../ } catch (Exception e) { System.out.println(e); }
Bad · Java
This code tries to open a database connection, and prints any exceptions that occur.
try { openDbConnection(); } //print exception message that includes exception message and configuration file location catch (Exception $e) { echo 'Caught exception: ', $e->getMessage(), '\n'; echo 'Check credentials in config file at: ', $Mysql_config_location, '\n'; }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2024-13536 1003 Mortgage Application <= 1.87 - Unauthenticated Full Path Disclosure — 1003 Mortgage Application 5.3 Medium2025-01-21
CVE-2024-52898 IBM MQ information disclosure — MQ 6.2 Medium2025-01-14
CVE-2025-0053 Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform — SAP NetWeaver Application Server for ABAP and ABAP Platform 5.3 Medium2025-01-14
CVE-2022-22363 IBM Cognos Controller information disclosure — Controller 4.3 Medium2025-01-07
CVE-2021-20455 IBM Cognos Controller information disclosure — Controller 3.7 Low2025-01-07
CVE-2024-25037 IBM Cognos Controller information disclosure — Controller 4.3 Medium2025-01-07
CVE-2024-52893 IBM Concert Software information disclosure — Concert Software 5.3 Medium2025-01-07
CVE-2024-11625 Progress Sitefinity 安全漏洞 — Sitefinity 7.7 High2025-01-07
CVE-2024-5591 IBM Jazz Foundation information disclosure — Jazz Foundation 4.3 Medium2025-01-03
CVE-2024-39725 IBM Engineering Lifecycle Optimization - Engineering Insights information disclosure — Engineering Insights 5.3 Medium2024-12-25
CVE-2024-23945 Apache Hive, Apache Spark, Apache Spark: CookieSigner exposes the correct signature when message verification fails — Apache Hive 8.2 -2024-12-23
CVE-2024-52897 IBM MQ information disclosure — MQ 6.2 Medium2024-12-19
CVE-2024-52896 IBM MQ information disclosure — MQ 6.2 Medium2024-12-19
CVE-2024-49818 IBM Security Guardium Key Lifecycle Manager information disclosure — Security Guardium Key Lifecycle Manager 4.3 Medium2024-12-17
CVE-2024-54366 WordPress Vimeography plugin <= 2.4.4 - Full Path Disclosure (FPD) vulnerability — Vimeography 5.3 Medium2024-12-16
CVE-2024-51460 IBM InfoSphere Information Server information disclosure — InfoSphere Information Server 4.3 Medium2024-12-11
CVE-2024-53948 Apache Superset: Error verbosity exposes metadata in analytics databases — Apache Superset 5.3 -2024-12-09
CVE-2024-54141 phpMyFAQ Generates an Error Message Containing Sensitive Information if database server is not available — phpMyFAQ 8.6 High2024-12-06
CVE-2024-53253 Sentry's improper error handling leaks Application Integration Client Secret — sentry 5.3 Medium2024-11-22
CVE-2024-48896 Moodle: users' names returned in messaging error message 4.3AIMediumAI2024-11-18
CVE-2021-3986 Information Disclosure in janeczku/calibre-web — janeczku/calibre-web 4.3AIMediumAI2024-11-15
CVE-2024-30141 HCL BigFix Compliance is vulnerable to the generation of error messages containing sensitive information — BigFix Compliance 4.7 Medium2024-11-07
CVE-2024-52043 User enumeration in HubHub — HumHub 5.3AIMediumAI2024-11-06
CVE-2024-51560 Improper Error Handling Vulnerability in Wave 2.0 — Wave 2.0 4.3AIMediumAI2024-11-04
CVE-2024-50512 WordPress Posti Shipping plugin <= 3.10.2 - Full Path Disclosure (FPD) vulnerability — Posti Shipping 5.3 Medium2024-10-30
CVE-2023-50355 HCL Sametime is impacted by generation of error messages containing sensitive information — Sametime 3.6 Low2024-10-23
CVE-2024-45713 SolarWinds Kiwi CatTools Sensitive Information Disclosure Vulnerability — Kiwi CatTools 5.1 Medium2024-10-17
CVE-2024-7038 Information Disclosure in open-webui/open-webui — open-webui/open-webui 6.5AIMediumAI2024-10-09
CVE-2024-5435 Generation of Error Message Containing Sensitive Information in GitLab — GitLab 4.5 Medium2024-09-12
CVE-2024-8571 erjemin roll_cms views.py information exposure — roll_cms 3.5 Low2024-09-08

Vulnerabilities classified as CWE-209 (通过错误消息导致的信息暴露) represent 297 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.