结构: Simple
Abstraction: Variant
状态: Draft
被利用可能性: Medium
When trying to keep information confidential, an attacker can often infer some of the information by using statistics.
In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.
cwe_Nature: ChildOf cwe_CWE_ID: 359 cwe_View_ID: 1000 cwe_Ordinal: Primary
cwe_Nature: ChildOf cwe_CWE_ID: 200 cwe_View_ID: 699 cwe_Ordinal: Primary
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
范围 | 影响 | 注释 |
---|---|---|
Confidentiality | ['Read Files or Directories', 'Read Application Data'] | Sensitive information may possibly be leaked through data queries accidentally. |
策略:
This is a complex topic. See the book Translucent Databases for a good discussion of best practices.
See the book Translucent Databases for examples.
映射的分类名 | ImNode ID | Fit | Mapped Node Name |
---|---|---|---|
CLASP | Accidental leaking of sensitive information through data queries |