CWE-210: Self-generated Error Message Containing Sensitive Information
The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.
View on MITRETechnical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
No mitigation information available for this CWE.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
The following code uses custom configuration files for each user in the application. It checks to see if the file exists on the system before attempting to open and use the file. If the configuration file does not exist, then an error is generated, and the application exits.
If this code is running on a server, such as a web application, then the person making the request should not know what the full pathname of the configuration directory is. By submitting a username that is not associated with a configuration file, an attacker could get this pathname from the error message. It could then be used to exploit path traversal, symbolic link following, or other problems that may exist elsewhere in the application.
Observed CVE Examples (1)
Infoleak of sensitive information in error message (physical access required).
View DetailsCWE Relationships
Frequently Asked Questions
What is CWE-210: Self-generated Error Message Containing Sensitive Information?+
CWE-210: Self-generated Error Message Containing Sensitive Information is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.
What are the security consequences of Self-generated Error Message Containing Sensitive Information?+
If exploited, CWE-210 (Self-generated Error Message Containing Sensitive Information) it can compromise Confidentiality, leading to outcomes such as Read Application Data.
Which programming languages are affected by Self-generated Error Message Containing Sensitive Information?+
CWE-210 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Self-generated Error Message Containing Sensitive Information?+
MITRE documents real CVEs mapped to CWE-210, including CVE-2005-1745. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-210 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.