The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
View on MITREApplications may use caches to improve efficiency when communicating with remote entities or performing intensive calculations. A cache maintains a pool of objects, threads, connections, pages, financial data, passwords, or other resources to minimize the time it takes to initialize and access these resources. If the cache is accessible to unauthorized actors, attackers can read the cache and obtain this sensitive information.
Protect information stored in cache.
Do not store unnecessarily sensitive information in the cache.
Consider using encryption in the cache.
No detection method information available for this CWE.
No examples or observed CVEs available for this CWE.
No relationship information available for this CWE.
CWE-524: Use of Cache Containing Sensitive Information is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere. Applications may use caches to improve efficiency when communicating with remote entities or performing intensive calculations. A cache maintains a pool of objects, threads, connections, pages, financial data, passwords, or other resources to minimize the time it takes to initialize and access these resources. If the cache is accessible to unauthorized actors, attackers can read the cache and obtain this sensitive information.
If exploited, CWE-524 (Use of Cache Containing Sensitive Information) it can compromise Confidentiality, leading to outcomes such as Read Application Data.
Recommended mitigations for CWE-524 include: Protect information stored in cache. Do not store unnecessarily sensitive information in the cache. Consider using encryption in the cache.
A CWE (Common Weakness Enumeration) like CWE-524 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.