Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-359 (侵犯隐私) — Vulnerability Class 125

125 vulnerabilities classified as CWE-359 (侵犯隐私). AI Chinese analysis included.

CWE-359 represents a critical security weakness where software fails to restrict access to sensitive personal data, allowing unauthorized individuals or entities to view private information without explicit permission or implicit consent. Attackers typically exploit this vulnerability by bypassing authentication mechanisms, exploiting broken access controls, or leveraging insecure direct object references to retrieve data such as social security numbers, financial records, or health details. To mitigate this risk, developers must implement robust identity verification and strict role-based access controls that enforce the principle of least privilege. Additionally, employing comprehensive encryption for data at rest and in transit, alongside rigorous input validation and regular security audits, ensures that only authorized users can interact with sensitive information, thereby preserving user privacy and maintaining regulatory compliance.

MITRE CWE Description
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Common Consequences (1)
ConfidentialityRead Application Data
Mitigations (3)
RequirementsIdentify and consult all relevant regulations for personal privacy. An organization may be required to comply with certain federal and state regulations, depending on its location, the type of business it conducts, and the nature of any private data it handles. Regulations may include Safe Harbor Privacy Framework [REF-340], Gramm-Leach Bliley Act (GLBA) [REF-341], Health Insurance Portability a…
Architecture and DesignCarefully evaluate how secure design may interfere with privacy, and vice versa. Security and privacy concerns often seem to compete with each other. From a security perspective, all important operations should be recorded so that any anomalous activity can later be identified. However, when private data is involved, this practice can in fact create risk. Although there are many ways in which pri…
Implementation, OperationSome tools can automatically analyze documents to redact, strip, or "sanitize" private information, although some human review might be necessary. Tools may vary in terms of which document formats can be processed. When calling an external program to automatically generate or convert documents, invoke the program with any available options that avoid generating sensitive metada…
Examples (2)
The following code contains a logging statement that tracks the contents of records added to a database by storing them in a log file. Among other values that are stored, the getPassword() function returns the user-supplied plaintext password associated with the account.
pass = GetPassword(); ... dbmsLog.WriteLine(id + ":" + pass + ":" + type + ":" + tstamp);
Bad · C#
This code uses location to determine the user's current US State location.
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
Bad · XML
locationClient = new LocationClient(this, this, this); locationClient.connect(); Location userCurrLocation; userCurrLocation = locationClient.getLastLocation(); deriveStateFromCoords(userCurrLocation);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2021-21823 komoot 信息泄露漏洞 — Komoot 7.5 -2021-08-20
CVE-2021-22876 Haxx libcurl 信息泄露漏洞 — https://github.com/curl/curl 7.5 -2021-04-01
CVE-2020-1688 Junos OS: SRX and NFX Series: Insufficient Web API private key protection — Junos OS 6.5 Medium2020-10-16
CVE-2019-15623 Nextcloud 信息泄露漏洞 — Nextcloud Server 5.3 -2020-02-04
CVE-2017-16769 Synology Photo Station Photo Viewer 信息泄露漏洞 — Synology Photo Station 5.3 -2018-02-23

Vulnerabilities classified as CWE-359 (侵犯隐私) represent 125 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.