CWE-213: Exposure of Sensitive Information Due to Incompatible Policies

BaseDraft

The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.

View on MITRE
Back to CWE Lookup

Extended Description

When handling information, the developer must consider whether the information is regarded as sensitive by different stakeholders, such as users or administrators. Each stakeholder effectively has its own intended security policy that the product is expected to uphold. When a developer does not treat that information as sensitive, this can introduce a vulnerability that violates the expectations of the product's users.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-213: Exposure of Sensitive Information Due to Incompatible Policies?+

CWE-213: Exposure of Sensitive Information Due to Incompatible Policies is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed. When handling information, the developer must consider whether the information is regarded as sensitive by different stakeholders, such as users or administrators. Each stakeholder effectively has its own intended security policy that the product is expected to uphold. When a developer does not treat that information as sensitive, this can introduce a vulnerability that violates the expectations of the product's users.

What are the security consequences of Exposure of Sensitive Information Due to Incompatible Policies?+

If exploited, CWE-213 (Exposure of Sensitive Information Due to Incompatible Policies) it can compromise Confidentiality, leading to outcomes such as Read Application Data.

Which programming languages are affected by Exposure of Sensitive Information Due to Incompatible Policies?+

CWE-213 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Exposure of Sensitive Information Due to Incompatible Policies?+

MITRE documents real CVEs mapped to CWE-213, including CVE-2002-1725, CVE-2004-0033, CVE-2003-1181, CVE-2004-1422 and CVE-2004-1590. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-213 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More