1. Home
  2. CWE Database
  3. CWE-221
Class · High

CWE-221: Information Loss or Omission

The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.

CWE-221 · Class Level ·5 CVEs

Description

The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.

Potential Impact

Non-Repudiation

Hide Activities

Demonstrative Examples

This code logs suspicious multiple login attempts.
Bad
function login($userName,$password){
                        if(authenticate($userName,$password)){return True;}else{incrementLoginAttempts($userName);if(recentLoginAttempts($userName) > 5){writeLog("Failed login attempt by User: " . $userName . " at " + date('r') );}}
                     }
This code only logs failed login attempts when a certain limit is reached. If an attacker knows this limit, they can stop their attack from being discovered by avoiding the limit.

Real-World CVE Examples

CVE IDDescription
CVE-2004-2227Web browser's filename selection dialog only shows the beginning portion of long filenames, which can trick users into launching executables with dangerous extensions.
CVE-2003-0412application server does not log complete URI of a long request (truncation).
CVE-1999-1029Login attempts are not recorded if the user disconnects before the maximum number of tries.
CVE-2002-0725Attacker performs malicious actions on a hard link to a file, obscuring the real target file.
CVE-1999-1055Product does not warn user when document contains certain dangerous functions or macros.

CWE-664: Improper Control of a Resource Through its Lifetime

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use,...

Taxonomy Mappings

  • PLOVER: — Information loss or omission

Frequently Asked Questions

What is CWE-221?

CWE-221 (Information Loss or Omission) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.

How can CWE-221 be exploited?

Attackers can exploit CWE-221 (Information Loss or Omission) to hide activities. This weakness is typically introduced during the Architecture and Design, Implementation, Operation phase of software development.

How do I prevent CWE-221?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-221?

CWE-221 is classified as a Class-level weakness (High abstraction). It has been observed in 5 real-world CVEs.