When trying to keep information confidential, an attacker can often infer some of the information by using statistics.
View on MITREIn situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.
Sensitive information may possibly be leaked through data queries accidentally.
This is a complex topic. See the book Translucent Databases for a good discussion of best practices.
No detection method information available for this CWE.
Wiki product allows an adversary to discover filenames via a series of queries starting with one letter and then iteratively extending the match.
View DetailsCWE-202: Exposure of Sensitive Information Through Data Queries is a Common Weakness Enumeration (CWE) entry maintained by MITRE. When trying to keep information confidential, an attacker can often infer some of the information by using statistics. In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.
If exploited, CWE-202 (Exposure of Sensitive Information Through Data Queries) it can compromise Confidentiality, leading to outcomes such as Read Files or Directories and Read Application Data.
Recommended mitigations for CWE-202 include: This is a complex topic. See the book Translucent Databases for a good discussion of best practices.
CWE-202 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-202, including CVE-2022-41935. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-202 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.