CWE-202 (Exposure of Sensitive Information Through Data Queries) is a common software weakness type identified by the CWE (Common Weakness Enumeration) dictionary. It helps developers understand security flaws and how to mitigate them.

What is the difference between CVE and CWE?

CWE refers to the type of software weakness (the root cause), while CVE refers to a specific instance of a vulnerability in a particular product or system.

CWE-202

Exposure of Sensitive Information Through Data Queries

Medium Risk

Weakness Description

When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.

Potential Mitigations

Architecture and Design

This is a complex topic. See the [REF-1492] for a good discussion of best practices.

Common Consequences

Confidentiality

Read Files or DirectoriesRead Application Data

Sensitive information may possibly be leaked through data queries accidentally.

Related Weaknesses

CWE-1230

Related Resources

Browse CWE Database

Explore 493 software weaknesses

CVE Database

Search 294,000+ vulnerabilities

Security Writeups

Learn from real-world examples

About 4nuxd

Cybersecurity research & tools

Contact Us

Get in touch for collaboration

Homepage

Explore more security resources