CWE-202 通过数据查询的敏感数据暴露
Exposure of Sensitive Data Through Data Queries
结构: Simple
Abstraction: Variant
状态: Draft
被利用可能性: Medium
基本描述
When trying to keep information confidential, an attacker can often infer some of the information by using statistics.
扩展描述
In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 359 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 200 cwe_View_ID: 699 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Confidentiality | ['Read Files or Directories', 'Read Application Data'] | Sensitive information may possibly be leaked through data queries accidentally. |
可能的缓解方案
Architecture and Design
策略:
This is a complex topic. See the book Translucent Databases for a good discussion of best practices.
示例代码
例
See the book Translucent Databases for examples.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| CLASP | Accidental leaking of sensitive information through data queries |