1. Home
  2. CWE Database
  3. CWE-210
Base · Medium

CWE-210: Self-generated Error Message Containing Sensitive Information

The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.

CWE-210 · Base Level ·1 CVEs ·2 Mitigations

Description

The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.

Potential Impact

Confidentiality

Read Application Data

Demonstrative Examples

The following code uses custom configuration files for each user in the application. It checks to see if the file exists on the system before attempting to open and use the file. If the configuration file does not exist, then an error is generated, and the application exits.
Bad
$uname = GetUserInput("username");
                     
                     
                     # avoid CWE-22, CWE-78, others.
                     if ($uname !~ /^\w+$/){ExitError("Bad hacker!") ;}
                     $filename = "/home/myprog/config/" . $uname . ".txt";if (!(-e $filename)){ExitError("Error: $filename does not exist");}
If this code is running on a server, such as a web application, then the person making the request should not know what the full pathname of the configuration directory is. By submitting a username that is not associated with a configuration file, an attacker could get this pathname from the error message. It could then be used to exploit path traversal, symbolic link following, or other problems that may exist elsewhere in the application.

Mitigations & Prevention

ImplementationBuild and Compilation

Debugging information should not make its way into a production release.

ImplementationBuild and Compilation

Debugging information should not make its way into a production release.

Real-World CVE Examples

CVE IDDescription
CVE-2005-1745Infoleak of sensitive information in error message (physical access required).

CWE-209: Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated d...

Taxonomy Mappings

  • PLOVER: — Product-Generated Error Message Infoleak
  • Software Fault Patterns: SFP23 — Exposed Data

Frequently Asked Questions

What is CWE-210?

CWE-210 (Self-generated Error Message Containing Sensitive Information) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.

How can CWE-210 be exploited?

Attackers can exploit CWE-210 (Self-generated Error Message Containing Sensitive Information) to read application data. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-210?

Key mitigations include: Debugging information should not make its way into a production release.

What is the severity of CWE-210?

CWE-210 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.