Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CWE-524 (通过缓存导致的信息暴露) — Vulnerability Class 36

36 vulnerabilities classified as CWE-524 (通过缓存导致的信息暴露). AI Chinese analysis included.

CWE-524 represents a critical information exposure weakness where applications store sensitive data in caches that remain accessible to unauthorized actors outside the intended security boundary. This vulnerability typically arises when developers prioritize performance optimization by caching resources like passwords, financial records, or session tokens without implementing adequate access controls or encryption. Attackers exploit this flaw by accessing the underlying cache storage, often through memory inspection, shared hosting environments, or indirect file system access, thereby retrieving confidential information that should remain isolated. To mitigate this risk, developers must ensure that cached data is strictly encrypted, ephemeral, or restricted to privileged processes. Implementing rigorous memory management practices, clearing sensitive entries immediately after use, and applying the principle of least privilege to cache access mechanisms are essential strategies for preventing unintended data leakage and maintaining robust application security.

MITRE CWE Description
The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere. Applications may use caches to improve efficiency when communicating with remote entities or performing intensive calculations. A cache maintains a pool of objects, threads, connections, pages, financial data, passwords, or other resources to minimize the time it takes to initialize and access these resources. If the cache is accessible to unauthorized actors, attackers can read the cache and obtain this sensitive information.
Common Consequences (1)
ConfidentialityRead Application Data
Mitigations (3)
Architecture and DesignProtect information stored in cache.
Architecture and DesignDo not store unnecessarily sensitive information in the cache.
Architecture and DesignConsider using encryption in the cache.
CVE IDTitleCVSSSeverityPublished
CVE-2023-37486 Information Disclosure vulnerability in SAP Commerce (OCC API) — SAP Commerce (OCC API) 5.9 Medium2023-08-08
CVE-2022-3292 Use of Cache Containing Sensitive Information in ikus060/rdiffweb — ikus060/rdiffweb 6.5 -2022-09-28
CVE-2021-24027 Facebook WhatsApp 安全漏洞 — WhatsApp Business for Android 7.5 -2021-04-06
CVE-2019-14997 Atlassian Jira 安全漏洞 — Jira 4.3 -2019-09-11
CVE-2019-11244 kubectl creates world-writeable cached schema files — Kubernetes 5.5 -2019-04-22
CVE-2019-9495 The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side-channel attacks as a result of cache access patterns — hostapd with EAP-pwd support 5.9 -2019-04-17

Vulnerabilities classified as CWE-524 (通过缓存导致的信息暴露) represent 36 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.