Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-209 (通过错误消息导致的信息暴露) — Vulnerability Class 297

297 vulnerabilities classified as CWE-209 (通过错误消息导致的信息暴露). AI Chinese analysis included.

CWE-209 represents a critical information disclosure weakness where software inadvertently exposes sensitive internal details through error messages. This flaw typically occurs when applications return verbose stack traces, database paths, or user-specific data to end-users during failure states. Attackers exploit this by triggering specific errors to gather reconnaissance information, such as server architecture, file structures, or valid user identifiers, which facilitates further targeted attacks like SQL injection or privilege escalation. To mitigate this risk, developers must implement robust error handling mechanisms that separate internal diagnostic logs from user-facing messages. By standardizing generic, non-descriptive error responses for external users while retaining detailed logs for internal debugging, organizations can prevent attackers from leveraging error output to map system vulnerabilities or compromise sensitive data integrity.

MITRE CWE Description
The product generates an error message that includes sensitive information about its environment, users, or associated data.
Common Consequences (1)
ConfidentialityRead Application Data
Often this will either reveal sensitive information which may be used to launch another, more focused attack or disclose private information stored in the server. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In tur…
Mitigations (5)
ImplementationEnsure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or…
ImplementationHandle exceptions internally and do not display errors containing potentially sensitive information to a user.
ImplementationUse naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Effectiveness: Defense in Depth
Implementation, Build and CompilationDebugging information should not make its way into a production release.
Implementation, Build and CompilationDebugging information should not make its way into a production release.
Examples (2)
In the following example, sensitive information might be printed depending on the exception that occurs.
try { /.../ } catch (Exception e) { System.out.println(e); }
Bad · Java
This code tries to open a database connection, and prints any exceptions that occur.
try { openDbConnection(); } //print exception message that includes exception message and configuration file location catch (Exception $e) { echo 'Caught exception: ', $e->getMessage(), '\n'; echo 'Check credentials in config file at: ', $Mysql_config_location, '\n'; }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2024-41674 CKAN may leak Solr credentials via error message in package_search action — ckan 5.3 Medium2024-08-21
CVE-2024-43376 Umbraco CMS vulnerable to Generation of Error Message Containing Sensitive Information — Umbraco-CMS 4.3 Medium2024-08-20
CVE-2023-47728 IBM QRadar Suite Software information disclosure — QRadar Suite Software 6.5 Medium2024-08-16
CVE-2024-39751 IBM InfoSphere Information Server information disclosure — InfoSphere Information Server 4.3 Medium2024-08-06
CVE-2024-6980 Verbose error handling issue in GravityZone Update Server proxy service — GravityZone Update Server 9.8AICriticalAI2024-07-31
CVE-2024-5250 Overly Verbose Errors in SAML Integration — Akana API Platform 3.5 Low2024-07-30
CVE-2024-6984 Juju 安全漏洞 — Juju 8.8 High2024-07-29
CVE-2024-3454 In-Fabric Matter Cluster Attribute Disclosure — connectedhomeip 3.5 Low2024-07-24
CVE-2022-35640 IBM Sterling Partner Engagement Manager information disclosure — Sterling Partner Engagement Manager 4.0 Medium2024-07-16
CVE-2024-39737 IBM Datacap Navigator information disclosure — Datacap Navigator 5.4 Medium2024-07-15
CVE-2023-50953 IBM InfoSphere Information Server information disclosure — InfoSphere Information Server 5.4 Medium2024-06-30
CVE-2024-35119 IBM InfoSphere Information Server information disclosure — InfoSphere Information Server 5.3 Medium2024-06-30
CVE-2024-35156 IBM MQ information disclosure — MQ 6.5 Medium2024-06-28
CVE-2024-35155 IBM MQ information disclosure — MQ 6.5 Medium2024-06-28
CVE-2024-37162 zsa Generates Error Messages Containing Sensitive Information — zsa 4.0 Medium2024-06-07
CVE-2024-36106 Argo CD allows authenticated users to enumerate clusters by name — argo-cd 4.3 Medium2024-06-06
CVE-2024-36375 JetBrains TeamCity 安全漏洞 — TeamCity 5.3 Medium2024-05-29
CVE-2024-35232 github.com/huandu/facebook may expose access_token in error message — facebook 3.7 Low2024-05-24
CVE-2023-23474 IBM Cognos Controller information disclosure — Cognos Controller 3.7 Low2024-05-03
CVE-2024-28939 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability — Microsoft SQL Server 2019 (CU 25) 8.8 High2024-04-09
CVE-2024-29059 .NET Framework Information Disclosure Vulnerability — Microsoft .NET Framework 4.8 7.5 High2024-03-22
CVE-2022-32756 IBM Security Verify Directory information disclosure — Security Verify Directory 2.7 Low2024-03-22
CVE-2024-2009 Nway Pro Argument index.php ajax_login_submit_form information exposure — Nway Pro 5.3 Medium2024-02-29
CVE-2024-27315 Apache Superset: Improper error handling on alerts — Apache Superset 4.3 Medium2024-02-28
CVE-2024-21866 Generation of Error Message Containing Sensitive Information in Rapid SCADA — Rapid SCADA 5.3 Medium2024-02-01
CVE-2023-47152 IBM Db2 information disclosure — Db2 for Linux, UNIX and Windows 5.9 Medium2024-01-22
CVE-2024-23689 ClickHouse Client Certificate Password Exposure 7.5 -2024-01-19
CVE-2024-21733 Apache Tomcat: Leaking of unrelated request bodies in default error page — Apache Tomcat 7.5 -2024-01-19
CVE-2023-49107 Generation of Error Message Containing Sensitive Information Vulnerability in Hitachi Device Manager — Hitachi Device Manager 5.3 Medium2024-01-16
CVE-2024-21313 Windows TCP/IP Information Disclosure Vulnerability — Windows 10 Version 1809 5.3 Medium2024-01-09

Vulnerabilities classified as CWE-209 (通过错误消息导致的信息暴露) represent 297 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.