1. Home
  2. CWE Database
  3. CWE-524
Base · Medium

CWE-524: Use of Cache Containing Sensitive Information

The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

CWE-524 · Base Level ·1 CVEs ·3 Mitigations

Description

The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

Applications may use caches to improve efficiency when communicating with remote entities or performing intensive calculations. A cache maintains a pool of objects, threads, connections, pages, financial data, passwords, or other resources to minimize the time it takes to initialize and access these resources. If the cache is accessible to unauthorized actors, attackers can read the cache and obtain this sensitive information.

Potential Impact

Confidentiality

Read Application Data

Mitigations & Prevention

Architecture and Design

Protect information stored in cache.

Architecture and Design

Do not store unnecessarily sensitive information in the cache.

Architecture and Design

Consider using encryption in the cache.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2024-30127Product does not set the "no-cache" option in the HTTP Cache-Control header, allowing sensitive information to be cached

CWE-668: Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the...

Frequently Asked Questions

What is CWE-524?

CWE-524 (Use of Cache Containing Sensitive Information) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

How can CWE-524 be exploited?

Attackers can exploit CWE-524 (Use of Cache Containing Sensitive Information) to read application data. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-524?

Key mitigations include: Protect information stored in cache.

What is the severity of CWE-524?

CWE-524 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.