Description
The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information.
Developers might correctly prevent unauthorized access to a database or other resource containing sensitive information, but they might not consider that portions of the original information might also be recorded in metadata, search indices, statistical reports, or other resources. If these resources are not also restricted, then attackers might be able to extract some or all of the original information, or otherwise infer some details. For example, an attacker could specify search terms that are known to be unique to a particular person, or view metadata such as activity or creation dates in order to identify usage patterns.
Potential Impact
Confidentiality
Read Application Data
Related Weaknesses
Frequently Asked Questions
What is CWE-1230?
CWE-1230 (Exposure of Sensitive Information Through Metadata) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information.
How can CWE-1230 be exploited?
Attackers can exploit CWE-1230 (Exposure of Sensitive Information Through Metadata) to read application data. This weakness is typically introduced during the Architecture and Design phase of software development.
How do I prevent CWE-1230?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-1230?
CWE-1230 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.