CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
low-riskThe product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Common Consequences
Detection Methods
According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Inter-application Flow Analysis
According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners
According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious
According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections)
According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source code Weakness Analyzer
According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
Real-World Examples (10)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2021-41277 | 10.0 | 94.4% | Y |
| CVE-2024-24919 | 8.6 | 94.3% | Y |
| CVE-2023-49103 | 10.0 | 94.3% | Y |
| CVE-2021-27850 | 9.8 | 94.2% | — |
| CVE-2023-28432 | 7.5 | 94.0% | Y |
| CVE-2018-3760 | 7.5 | 93.8% | — |
| CVE-2021-34429 | 5.3 | 93.8% | — |
| CVE-2024-45388 | 7.5 | 93.7% | — |
| CVE-2024-0305 | 5.3 | 93.7% | — |
| CVE-2018-1000600 | 8.8 | 93.5% | — |