CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere

BaseStable

Description

View on MITRE
Back to CWE Lookup

Extended Description

Extended Description

Technical Details

Structure
Simple
Vulnerability Mapping
ALLOWED

Applicable To

Languages
Languages
Platforms

Frequently Asked Questions

What is CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere?+

CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description Extended Description

What are the security consequences of Exposure of Sensitive System Information to an Unauthorized Control Sphere?+

If exploited, CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere) it can compromise Read Application Data, leading to outcomes such as Scope: Confidentiality.

How do you prevent or mitigate Exposure of Sensitive System Information to an Unauthorized Control Sphere?+

Recommended mitigations for CWE-497 include: Production applications should never use methods that generate internal details such as stack traces and error messages unless that information is directly committed to a log that is not viewable by the end user. All error message text should be HTML entity encoded before being written to the log file to protect against potential cross-site scripting attacks against the viewer of the logs

Which programming languages are affected by Exposure of Sensitive System Information to an Unauthorized Control Sphere?+

CWE-497 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-497 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More