The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.
View on MITREWhen handling information, the developer must consider whether the information is regarded as sensitive by different stakeholders, such as users or administrators. Each stakeholder effectively has its own intended security policy that the product is expected to uphold. When a developer does not treat that information as sensitive, this can introduce a vulnerability that violates the expectations of the product's users.
No mitigation information available for this CWE.
No detection method information available for this CWE.
This code displays some information on a web page.
The code displays a user's credit card and social security numbers, even though they aren't absolutely necessary.
Telnet protocol allows servers to obtain sensitive environment information from clients.
View DetailsTelnet protocol allows servers to obtain sensitive environment information from clients.
View DetailsNo relationship information available for this CWE.
CWE-213: Exposure of Sensitive Information Due to Incompatible Policies is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed. When handling information, the developer must consider whether the information is regarded as sensitive by different stakeholders, such as users or administrators. Each stakeholder effectively has its own intended security policy that the product is expected to uphold. When a developer does not treat that information as sensitive, this can introduce a vulnerability that violates the expectations of the product's users.
If exploited, CWE-213 (Exposure of Sensitive Information Due to Incompatible Policies) it can compromise Confidentiality, leading to outcomes such as Read Application Data.
CWE-213 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-213, including CVE-2002-1725, CVE-2004-0033, CVE-2003-1181, CVE-2004-1422 and CVE-2004-1590. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-213 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.