CWE-202 通过数据查询的敏感数据暴露

Exposure of Sensitive Data Through Data Queries

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: Medium

基本描述

When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

扩展描述

In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 359 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 200 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Confidentiality ['Read Files or Directories', 'Read Application Data'] Sensitive information may possibly be leaked through data queries accidentally.

可能的缓解方案

Architecture and Design

策略:

This is a complex topic. See the book Translucent Databases for a good discussion of best practices.

示例代码

See the book Translucent Databases for examples.

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
CLASP Accidental leaking of sensitive information through data queries