SecPod SCAP Repo, a repository of SCAP Content (CVE, CCE, CPE, CWE, OVAL and XCCDF)

Download | Alert*

CWE

Exposure of Sensitive Data Through Data Queries

ID: 202		Date: (C)2012-05-14 (M)2022-10-10
Type: weakness		Status: DRAFT
Abstraction Type: Variant

Description

When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

Extended Description

In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.

Likelihood of Exploit: Medium

Applicable Platforms
Language Class: All

Time Of Introduction

Architecture and Design
Implementation

Related Attack Patterns

CAPEC-169

Common Consequences

Scope	Technical Impact	Notes
Confidentiality	Read files or directories Read application data	Sensitive information may possibly be leaked through data queries accidentally.

Detection Methods
None

Potential Mitigations

Phase	Strategy	Description	Effectiveness	Notes
		This is a complex topic. See the book Translucent Databases for a good discussion of best practices.

Relationships

Related CWE	Type	View	Chain
CWE-202 ChildOf CWE-895	Category	CWE-888

Demonstrative Examples (Details)

See the book Translucent Databases for examples.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
CLASP		Accidental leaking of sensitive information through data queries

References:
None


30479



423868



248678



909



195426



282