CWE-1272: Sensitive Information Uncleared Before Debug/Power State Transition
low-riskThe product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.
Abstraction: Base
Common Consequences
Confidentiality
→
Read Memory
Detection Methods
Manual Analysis
Write a known pattern into each sensitive location. Enter the power/debug state in question. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the device needs to be fixed. Note that this test can likely be automated.
Real-World Examples (2)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2020-22656 | 7.5 | 0.2% | — |
| CVE-2023-41967 | 2.4 | 0.1% | — |
0
/ 100
low-risk
Active Threat
0/50 · Minimal
Exploit Availability
0/50 · Minimal