1. Home
  2. CWE Database
  3. CWE-223
Base · Medium

CWE-223: Omission of Security-relevant Information

The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.

CWE-223 · Base Level ·3 CVEs

Description

The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.

Potential Impact

Non-Repudiation

Hide Activities

Demonstrative Examples

This code logs suspicious multiple login attempts.
Bad
function login($userName,$password){
                        if(authenticate($userName,$password)){return True;}else{incrementLoginAttempts($userName);if(recentLoginAttempts($userName) > 5){writeLog("Failed login attempt by User: " . $userName . " at " + date('r') );}}
                     }
This code only logs failed login attempts when a certain limit is reached. If an attacker knows this limit, they can stop their attack from being discovered by avoiding the limit.
This code prints the contents of a file if a user has permission.
Bad
function readFile($filename){
                        $user = getCurrentUser();$realFile = $filename;
                           
                           //resolve file if its a symbolic link
                           if(is_link($filename)){$realFile = readlink($filename);}
                           if(fileowner($realFile) == $user){echo file_get_contents($realFile);return;}else{echo 'Access denied';writeLog($user . ' attempted to access the file '. $filename . ' on '. date('r'));}
                     }
While the code logs a bad access attempt, it logs the user supplied name for the file, not the canonicalized file name. An attacker can obscure their target by giving the script the name of a link to the file they are attempting to access. Also note this code contains a race condition between the is_link() and readlink() functions (CWE-363).

Real-World CVE Examples

CVE IDDescription
CVE-1999-1029Login attempts are not recorded if the user disconnects before the maximum number of tries.
CVE-2002-1839Sender's IP address not recorded in outgoing e-mail.
CVE-2000-0542Failed authentication attempts are not recorded if later attempt succeeds.

CWE-221: Information Loss or Omission

The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or...

Taxonomy Mappings

  • PLOVER: — Omission of Security-relevant Information

Frequently Asked Questions

What is CWE-223?

CWE-223 (Omission of Security-relevant Information) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.

How can CWE-223 be exploited?

Attackers can exploit CWE-223 (Omission of Security-relevant Information) to hide activities. This weakness is typically introduced during the Architecture and Design, Implementation, Operation phase of software development.

How do I prevent CWE-223?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-223?

CWE-223 is classified as a Base-level weakness (Medium abstraction). It has been observed in 3 real-world CVEs.