CWE-550: Server-generated Error Message Containing Sensitive Information
Certain conditions, such as network failure, will cause a server error message to be displayed.
View on MITREExtended Description
While error messages in and of themselves are not dangerous, per se, it is what an attacker can glean from them that might cause eventual problems.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
Phase
Description
Recommendations include designing and adding consistent error handling mechanisms which are capable of handling any user input to your web application, providing meaningful detail to end-users, and preventing error messages that might provide information useful to an attacker from being displayed.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
No examples or observed CVEs available for this CWE.
CWE Relationships
Frequently Asked Questions
What is CWE-550: Server-generated Error Message Containing Sensitive Information?+
CWE-550: Server-generated Error Message Containing Sensitive Information is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Certain conditions, such as network failure, will cause a server error message to be displayed. While error messages in and of themselves are not dangerous, per se, it is what an attacker can glean from them that might cause eventual problems.
What are the security consequences of Server-generated Error Message Containing Sensitive Information?+
If exploited, CWE-550 (Server-generated Error Message Containing Sensitive Information) it can compromise Confidentiality, leading to outcomes such as Read Application Data.
How do you prevent or mitigate Server-generated Error Message Containing Sensitive Information?+
Recommended mitigations for CWE-550 include: Recommendations include designing and adding consistent error handling mechanisms which are capable of handling any user input to your web application, providing meaningful detail to end-users, and preventing error messages that might provide information useful to an attacker from being displayed.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-550 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.