Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-212 (敏感数据的不恰当跨边界移除) — Vulnerability Class 47

47 vulnerabilities classified as CWE-212 (敏感数据的不恰当跨边界移除). AI Chinese analysis included.

CWE-212 represents a critical data handling weakness where applications fail to sanitize sensitive information before storing or transmitting resources. This flaw typically allows attackers to exploit residual data within discarded documents, network packets, or database entries, leading to unauthorized access to credentials, personal identifiable information, or proprietary secrets. Developers often overlook this risk when reusing memory buffers or neglecting to clear temporary files, assuming that overwriting data is sufficient. To mitigate this vulnerability, engineers must implement rigorous data sanitization protocols, ensuring that all sensitive fields are explicitly cleared or overwritten before resource deallocation. Additionally, employing secure coding standards that enforce strict data lifecycle management and utilizing cryptographic erasure techniques can prevent accidental exposure. Regular code reviews focusing on data flow and memory management are essential to identify and rectify these oversights, thereby safeguarding confidential information against leakage.

MITRE CWE Description
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors. Resources that may contain sensitive data include documents, packets, messages, databases, etc. While this data may be useful to an individual user or small set of users who share the resource, it may need to be removed before the resource can be shared outside of the trusted group. The process of removal is sometimes called cleansing or scrubbing. For example, a product for editing documents might not remove sensitive data such as reviewer comments or the local pathname where the document is stored. Or, a proxy might not remove an internal IP address from headers before making an outgoing request to an Internet site.
Common Consequences (1)
ConfidentialityRead Files or Directories, Read Application Data
Sensitive data may be exposed to an unauthorized actor in another control sphere. This may have a wide range of secondary consequences that will depend on what data is exposed. One possibility is the exposure of system data - such as file l…
Mitigations (5)
RequirementsClearly specify which information should be regarded as private or sensitive, and require that the product offers functionality that allows the user to cleanse the sensitive information from the resource before it is published or exported to other parties.
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
Implementation, OperationSome tools can automatically analyze documents to redact, strip, or "sanitize" private information, although some human review might be necessary. Tools may vary in terms of which document formats can be processed. When calling an external program to automatically generate or convert documents, invoke the program with any available options that avoid generating sensitive metada…
ImplementationUse naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Effectiveness: Defense in Depth
ImplementationAvoid errors related to improper resource shutdown or release (CWE-404), which may leave the sensitive data within the resource if it is in an incomplete state.
Examples (1)
This code either generates a public HTML user information page or a JSON response containing the same user information.
// API flag, output JSON if set $json = $_GET['json'] $username = $_GET['user'] if(!$json) { $record = getUserRecord($username); foreach($record as $fieldName => $fieldValue) { if($fieldName == "email_address") { // skip displaying user emails continue; } else{ writeToHtmlPage($fieldName,$fieldValue); } } } else { $record = getUserRecord($username); echo json_encode($record); }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2024-43384 Phoenix Contact: Improper removal of sensitive information in MGUARD products — FL MGUARD 2102 8.0 High2026-05-07
CVE-2026-43528 OpenClaw < 2026.4.14 - Redaction Bypass via sourceConfig and runtimeConfig Aliases — OpenClaw 6.5 Medium2026-05-05
CVE-2026-43824 Argo CD 数据泄露漏洞 — Argo CD 7.7 High2026-05-02
CVE-2026-20928 Windows Recovery Environment Security Feature Bypass Vulnerability — Windows 10 Version 1607 4.6 Medium2026-04-14
CVE-2026-39937 Global vanishing does not completely remove user email — Mediawiki - CentralAuth Extension 7.5AIHighAI2026-04-07
CVE-2026-34214 Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON — trino 7.7 High2026-03-31
CVE-2026-1182 Improper Removal of Sensitive Information Before Storage or Transfer in GitLab — GitLab 4.3 Medium2026-03-12
CVE-2026-1732 Improper Removal of Sensitive Information Before Storage or Transfer in GitLab — GitLab 4.3 Medium2026-03-11
CVE-2026-27640 tfplan2md has Sensitive Value Exposure in Generated Reports — tfplan2md 5.3AIMediumAI2026-02-25
CVE-2025-8860 Qemu-kvm: uefi-vars: information disclosure vulnerability in uefi_vars_write callback 3.3 Low2026-02-18
CVE-2025-68131 CBORDecoder reuse can leak shareable values across decode calls — cbor2 7.5 -2025-12-31
CVE-2025-14267 Unintended temporary cached data included in a structure only copy intended to be empty of data — M-Files Server 6.5AIMediumAI2025-12-19
CVE-2025-65000 Exposure of SSH Private Keys in Remote Alert Handlers (Linux) Rule — Checkmk 7.5AIHighAI2025-12-18
CVE-2025-65965 Grype has a credential disclosure vulnerability in Grype JSON output — grype 6.5AIMediumAI2025-11-25
CVE-2025-62483 Zoom Clients - Improper Removal of Sensitive Information — Zoom Clients 5.3 Medium2025-11-13
CVE-2025-64326 Weblate leaks the IP of project members inviting users to assume reviewer roles in Audit log — weblate 2.6 Low2025-11-06
CVE-2025-0011 AMD Graphics Driver 安全漏洞 — AMD Ryzen™ 8000 Series Desktop Processors 3.3 Low2025-09-06
CVE-2025-58049 XWiki PDF export jobs store sensitive cookies unencrypted in job statuses — xwiki-platform 5.8 Medium2025-08-28
CVE-2025-48708 Artifex Ghostscript 安全漏洞 — Ghostscript 4.0 Medium2025-05-23
CVE-2025-27221 Ruby 安全漏洞 — URI 3.2 Low2025-03-03
CVE-2025-20118 Cisco Application Policy Infrastructure Controller Authenticated Command Injection Due to Sensitive Disclosure Vulnerability — Cisco Application Policy Infrastructure Controller (APIC) 4.4 Medium2025-02-26
CVE-2024-8474 OpenVPN Connect 安全漏洞 — OpenVPN Connect 7.5 -2025-01-06
CVE-2024-56353 JetBrains TeamCity 安全漏洞 — TeamCity 5.5 Medium2024-12-20
CVE-2024-41156 Hitachi Energy TRO600 安全漏洞 — TRO600 2.7 Low2024-10-29
CVE-2024-43554 Windows Kernel-Mode Driver Information Disclosure Vulnerability — Windows 10 Version 1809 5.5 Medium2024-10-08
CVE-2024-29120 Apache StreamPark: Information leakage vulnerability — Apache StreamPark 8.8AIHighAI2024-07-17
CVE-2024-31493 Fortinet FortiSOAR 授权问题漏洞 — FortiSOAR 6.0 Medium2024-06-03
CVE-2024-32028 Sensitive query parameters logged by default in OpenTelemetry.Instrumentation http and AspNetCore — opentelemetry-dotnet 4.1 Medium2024-04-12
CVE-2023-28834 Full path of data directory exposed to Nextcloud server users — security-advisories 3.5 Low2023-04-03
CVE-2022-4734 Improper Removal of Sensitive Information Before Storage or Transfer in usememos/memos — usememos/memos 8.1 High2022-12-25

Vulnerabilities classified as CWE-212 (敏感数据的不恰当跨边界移除) represent 47 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.