The product generates an error message that includes sensitive information about its environment, users, or associated data.
View on MITREOften this will either reveal sensitive information which may be used to launch another, more focused attack or disclose private information stored in the server. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In turn, this could be used to select the proper number of ".." sequences to navigate to the targeted file. An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query.
Handle exceptions internally and do not display errors containing potentially sensitive information to a user.
Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.
Create default error pages or messages that do not leak any information.
This weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints.
Automated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of business rules or privacy requirements is not typically feasible.
In the following example, sensitive information might be printed depending on the exception that occurs.
If an exception related to SQL is handled by the catch, then the output might contain sensitive information such as SQL query structure or private information. If this output is redirected to a web user, this may represent a security problem.
This code tries to open a database connection, and prints any exceptions that occur.
If an exception occurs, the printed message exposes the location of the configuration file the script is using. An attacker can use this information to target the configuration file (perhaps exploiting a Path Traversal weakness). If the file can be read, the attacker could gain credentials for accessing the database. The attacker may also be able to replace the file with a malicious one, causing the application to use an arbitrary database.
The following code generates an error message that leaks the full pathname of the configuration file.
If this code is running on a server, such as a web application, then the person making the request should not know what the full pathname of the configuration directory is. By submitting a username that does not produce a $file that exists, an attacker could get this pathname. It could then be used to exploit path traversal or symbolic link following problems that may exist elsewhere in the application.
In the example below, the method getUserBankAccount retrieves a bank account object from a database using the supplied username and account number to query the database. If an SQLException is raised when querying the database, an error message is created and output to a log file.
The error message that is created includes information about the database query that may contain sensitive information about the database or query logic. In this case, the error message will expose the table name and column names used in the database. This data could be used to simplify other attacks, such as SQL injection (CWE-89) to directly access the database.
POP3 server reveals a password in an error message after multiple APOP commands are sent. Might be resultant from another weakness.
View DetailsProgram reveals password in error message if attacker can trigger certain database errors.
View DetailsComposite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209).
View DetailsExistence of user names can be determined by requesting a nonexistent blog and reading the error message.
View DetailsDirect request to library file in web application triggers pathname leak in error message.
View DetailsMalformed input to login page causes leak of full path when IMAP call fails.
View DetailsNo relationship information available for this CWE.
CWE-209: Generation of Error Message Containing Sensitive Information is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product generates an error message that includes sensitive information about its environment, users, or associated data.
If exploited, CWE-209 (Generation of Error Message Containing Sensitive Information) it can compromise Confidentiality, leading to outcomes such as Read Application Data.
Recommended mitigations for CWE-209 include: Handle exceptions internally and do not display errors containing potentially sensitive information to a user. Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function. Create default error pages or messages that do not leak any information.
CWE-209 can be detected using Manual Analysis and Automated Analysis. Combining automated tooling with manual review typically yields the best coverage.
CWE-209 commonly affects PHP, Java and Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-209, including CVE-2008-2049, CVE-2007-5172, CVE-2008-4638, CVE-2008-1579 and CVE-2007-1409. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-209 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.