Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-209 (通过错误消息导致的信息暴露) — Vulnerability Class 297

297 vulnerabilities classified as CWE-209 (通过错误消息导致的信息暴露). AI Chinese analysis included.

CWE-209 represents a critical information disclosure weakness where software inadvertently exposes sensitive internal details through error messages. This flaw typically occurs when applications return verbose stack traces, database paths, or user-specific data to end-users during failure states. Attackers exploit this by triggering specific errors to gather reconnaissance information, such as server architecture, file structures, or valid user identifiers, which facilitates further targeted attacks like SQL injection or privilege escalation. To mitigate this risk, developers must implement robust error handling mechanisms that separate internal diagnostic logs from user-facing messages. By standardizing generic, non-descriptive error responses for external users while retaining detailed logs for internal debugging, organizations can prevent attackers from leveraging error output to map system vulnerabilities or compromise sensitive data integrity.

MITRE CWE Description
The product generates an error message that includes sensitive information about its environment, users, or associated data.
Common Consequences (1)
ConfidentialityRead Application Data
Often this will either reveal sensitive information which may be used to launch another, more focused attack or disclose private information stored in the server. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In tur…
Mitigations (5)
ImplementationEnsure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or…
ImplementationHandle exceptions internally and do not display errors containing potentially sensitive information to a user.
ImplementationUse naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Effectiveness: Defense in Depth
Implementation, Build and CompilationDebugging information should not make its way into a production release.
Implementation, Build and CompilationDebugging information should not make its way into a production release.
Examples (2)
In the following example, sensitive information might be printed depending on the exception that occurs.
try { /.../ } catch (Exception e) { System.out.println(e); }
Bad · Java
This code tries to open a database connection, and prints any exceptions that occur.
try { openDbConnection(); } //print exception message that includes exception message and configuration file location catch (Exception $e) { echo 'Caught exception: ', $e->getMessage(), '\n'; echo 'Check credentials in config file at: ', $Mysql_config_location, '\n'; }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2023-37260 league/oauth2-server key exposed in exception message when passing as string and providing invalid pass phrase — oauth2-server 8.2 High2023-07-06
CVE-2023-34110 Flask-AppBuilder vulnerable to possible disclosure of sensitive information on user error — Flask-AppBuilder 2.7 Low2023-06-22
CVE-2023-34339 JetBrains Ktor framework 安全漏洞 — Ktor 3.3 Low2023-06-01
CVE-2023-33181 Sensitive Information Disclosure abusing Stack Trace in Xibo CMS — xibo-cms 4.3 Medium2023-05-30
CVE-2023-28514 IBM MQ information disclosure — MQ 6.2 Medium2023-05-19
CVE-2023-27860 IBM Maximo Asset Management information disclosure — Maximo Asset Management 5.3 Medium2023-04-27
CVE-2023-29193 SpiceDB binding metrics port to untrusted networks and can leak command-line flags — spicedb 8.7 High2023-04-14
CVE-2022-4770 Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information — Pentaho Business Analytics Server 4.3 Medium2023-04-03
CVE-2022-4769 Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information — Pentaho Business Analytics Server 4.3 Medium2023-04-03
CVE-2023-25687 IBM Security Key Lifecycle Manager information disclosure — Security Key Lifecycle Manager 4.3 Medium2023-03-21
CVE-2023-25695 Information disclosure in Apache Airflow — Apache Airflow 5.3 -2023-03-15
CVE-2023-27587 ReadtoMyShoe 安全漏洞 — readtomyshoe 7.4 High2023-03-13
CVE-2023-26052 Saleor is vulnerable to unauthenticated information disclosure via Python exceptions — saleor 3.7 Low2023-03-02
CVE-2023-26051 Saleor is vulnerable to staff-authenticated error message information disclosure vulnerability via Python exceptions — saleor 6.5 Medium2023-03-02
CVE-2020-5026 IBM Financial Transaction Manager 安全漏洞 — Financial Transaction Manager 4.3 Medium2023-03-01
CVE-2023-25956 Apache Airflow AWS Provider: Arbitrary file read via AWS provider — Apache Airflow AWS Provider 5.3 -2023-02-24
CVE-2023-0655 SonicWall Email 安全漏洞 — SonicWall Email Security 5.3 -2023-02-14
CVE-2022-46675 Dell Wyse Management Suite 安全漏洞 — Wyse Management Suite 5.3 Medium2023-02-10
CVE-2015-10012 sumocoders FrameworkUserBundle login.html.twig information exposure — FrameworkUserBundle 3.5 Low2023-01-03
CVE-2022-22449 IBM Security Verify Governance, Identity Manager information disclosure — Security Verify Governance, Identity Manager 5.3 Medium2022-12-22
CVE-2022-39304 ghinstallation returns app JWT in error responses — ghinstallation 5.0 Medium2022-12-20
CVE-2022-34881 Information Exposure Vulnerability in JP1/Automatic Operation — JP1/Automatic Operation 3.3 Low2022-12-06
CVE-2022-40292 Unauthenticated username enumeration in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC. — PHP Point of Sale 5.3 -2022-10-31
CVE-2022-38107 Sensitive Data Disclosure Vulnerability — SQL Sentry 5.3 Medium2022-10-19
CVE-2021-27774 An injection vulnerability affects HCL Digital Experience — HCL Digital Experience 3.1 Low2022-09-22
CVE-2022-34882 Information Exposure Vulnerability in RAID Manager Storage Replication Adapter — RAID Manager Storage Replication Adapter 9.0 Critical2022-09-06
CVE-2022-33930 Dell Wyse Management Suite 安全漏洞 — Wyse Management Suite 4.3 Medium2022-08-10
CVE-2022-31189 "Internal System Error" page in DSpace JSPUI prints exceptions and stack traces without sanitization — DSpace 5.3 Medium2022-08-01
CVE-2022-31140 Valinor error messages leading to potential data exfiltration — Valinor 7.5 High2022-07-11
CVE-2022-31124 Possible leak of key's raw field if declared length is incorrect in openssh_key_parser — openssh_key_parser 7.7 High2022-07-06

Vulnerabilities classified as CWE-209 (通过错误消息导致的信息暴露) represent 297 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.