CWE-221: Information Loss or Omission
The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.
View on MITREExtended Description
This can be resultant, e.g. a buffer overflow might trigger a crash before the product can log the event.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
No mitigation information available for this CWE.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
This code logs suspicious multiple login attempts.
This code only logs failed login attempts when a certain limit is reached. If an attacker knows this limit, they can stop their attack from being discovered by avoiding the limit.
Observed CVE Examples (5)
Web browser's filename selection dialog only shows the beginning portion of long filenames, which can trick users into launching executables with dangerous extensions.
View Detailsapplication server does not log complete URI of a long request (truncation).
View DetailsLogin attempts are not recorded if the user disconnects before the maximum number of tries.
View DetailsAttacker performs malicious actions on a hard link to a file, obscuring the real target file.
View DetailsProduct does not warn user when document contains certain dangerous functions or macros.
View DetailsCWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-221: Information Loss or Omission?+
CWE-221: Information Loss or Omission is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis. This can be resultant, e.g. a buffer overflow might trigger a crash before the product can log the event.
What are the security consequences of Information Loss or Omission?+
If exploited, CWE-221 (Information Loss or Omission) it can compromise Non-Repudiation, leading to outcomes such as Hide Activities.
Which programming languages are affected by Information Loss or Omission?+
CWE-221 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Information Loss or Omission?+
MITRE documents real CVEs mapped to CWE-221, including CVE-2004-2227, CVE-2003-0412, CVE-1999-1029, CVE-2002-0725 and CVE-1999-1055. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-221 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.