Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-209 (通过错误消息导致的信息暴露) — Vulnerability Class 297

297 vulnerabilities classified as CWE-209 (通过错误消息导致的信息暴露). AI Chinese analysis included.

CWE-209 represents a critical information disclosure weakness where software inadvertently exposes sensitive internal details through error messages. This flaw typically occurs when applications return verbose stack traces, database paths, or user-specific data to end-users during failure states. Attackers exploit this by triggering specific errors to gather reconnaissance information, such as server architecture, file structures, or valid user identifiers, which facilitates further targeted attacks like SQL injection or privilege escalation. To mitigate this risk, developers must implement robust error handling mechanisms that separate internal diagnostic logs from user-facing messages. By standardizing generic, non-descriptive error responses for external users while retaining detailed logs for internal debugging, organizations can prevent attackers from leveraging error output to map system vulnerabilities or compromise sensitive data integrity.

MITRE CWE Description
The product generates an error message that includes sensitive information about its environment, users, or associated data.
Common Consequences (1)
ConfidentialityRead Application Data
Often this will either reveal sensitive information which may be used to launch another, more focused attack or disclose private information stored in the server. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In tur…
Mitigations (5)
ImplementationEnsure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or…
ImplementationHandle exceptions internally and do not display errors containing potentially sensitive information to a user.
ImplementationUse naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Effectiveness: Defense in Depth
Implementation, Build and CompilationDebugging information should not make its way into a production release.
Implementation, Build and CompilationDebugging information should not make its way into a production release.
Examples (2)
In the following example, sensitive information might be printed depending on the exception that occurs.
try { /.../ } catch (Exception e) { System.out.println(e); }
Bad · Java
This code tries to open a database connection, and prints any exceptions that occur.
try { openDbConnection(); } //print exception message that includes exception message and configuration file location catch (Exception $e) { echo 'Caught exception: ', $e->getMessage(), '\n'; echo 'Check credentials in config file at: ', $Mysql_config_location, '\n'; }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2022-31229 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 9.6 Critical2022-06-28
CVE-2022-2062 Generation of Error Message Containing Sensitive Information in nocodb/nocodb — nocodb/nocodb 7.5 -2022-06-13
CVE-2022-31023 Dev error stack trace leaking into prod in Play Framework — playframework 5.9 Medium2022-06-02
CVE-2022-29266 apisix/jwt-auth may leak secrets in error response — Apache APISIX 7.5 -2022-04-20
CVE-2021-32937 MDT AutoSave Generation of Error Message Containing Sensitive Information — MDT AutoSave 7.5 High2022-04-01
CVE-2021-35251 Sensitive Data Disclosure Vulnerability — Web Help Desk 5.3 Medium2022-03-09
CVE-2021-3620 Red Hat Ansible 安全漏洞 — ansible 5.5 -2022-03-03
CVE-2022-0563 util-linux 安全漏洞 — util-linux 7.1 -2022-02-21
CVE-2022-0660 Generation of Error Message Containing Sensitive Information in microweber/microweber — microweber/microweber 7.5 -2022-02-18
CVE-2022-0622 Generation of Error Message Containing Sensitive Information in snipe/snipe-it — snipe/snipe-it 4.3 -2022-02-17
CVE-2022-0504 Generation of Error Message Containing Sensitive Information in microweber/microweber — microweber/microweber 7.5 -2022-02-08
CVE-2022-22162 Junos OS: A low privileged user can elevate their privileges to the ones of the highest privileged j-web user logged in — Junos OS 7.3 High2022-01-19
CVE-2022-0083 Generation of Error Message Containing Sensitive Information in livehelperchat/livehelperchat — livehelperchat/livehelperchat 5.3 -2022-01-04
CVE-2022-0079 Generation of Error Message Containing Sensitive Information in star7th/showdoc — star7th/showdoc 5.3 -2022-01-03
CVE-2021-4177 Generation of Error Message Containing Sensitive Information in livehelperchat/livehelperchat — livehelperchat/livehelperchat 5.3 -2021-12-28
CVE-2021-1546 Cisco SD-WAN Software Information Disclosure Vulnerability — Cisco SD-WAN Solution 5.5 Medium2021-09-23
CVE-2021-32766 Nextcloud Text app can disclose existence of folders in "File Drop" link share — security-advisories 5.3 Medium2021-09-07
CVE-2021-25958 Generation of Error Message Containing Sensitive Information in Apache OFBiz — ofbiz-framework 6.5 Medium2021-08-30
CVE-2021-32775 Any user can see any fields (including mailbox password) with GroupBy Dashlet — iTop 7.7 High2021-07-21
CVE-2021-33711 Siemens Teamcenter Active Workspace 跨站脚本漏洞 — Teamcenter Active Workspace V4 5.3 -2021-07-13
CVE-2021-32734 File path disclosure of shared files in Nextcloud Text application — security-advisories 3.1 Low2021-07-12
CVE-2021-30357 Arch Linux安全漏洞 — SSL Network Extender Client for Linux 5.3 -2021-06-08
CVE-2021-22885 Rails Action Pack 信息泄露漏洞 — https://github.com/rails/rails 9.1 -2021-05-27
CVE-2021-31339 Siemens Mendix 安全漏洞 — Mendix Excel Importer Module 5.3 -2021-05-12
CVE-2021-31341 Siemens Mendix 安全漏洞 — Mendix Database Replication Module 4.3 -2021-05-12
CVE-2021-21416 Potential sensitive information disclosed in error reports — django-registration 3.7 Low2021-04-01
CVE-2021-3393 PostgreSQL 安全漏洞 — postgresql 4.3 -2021-04-01
CVE-2021-20289 Red Hat Resteasy 安全漏洞 — resteasy 5.3 -2021-03-26
CVE-2020-1717 Keycloak 安全漏洞 — keycloak 2.7 -2021-02-11
CVE-2020-15219 SQL query displayed on portal error — iTop 4.3 Medium2021-01-13

Vulnerabilities classified as CWE-209 (通过错误消息导致的信息暴露) represent 297 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.