目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-209 通过错误消息导致的信息暴露 类漏洞列表 307

CWE-209 通过错误消息导致的信息暴露 类弱点 307 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-209属于信息泄露漏洞,指软件在生成错误消息时意外包含敏感的环境、用户或数据信息。攻击者通常利用这些详细的错误堆栈或路径信息,识别系统架构、数据库结构或用户身份,从而辅助后续更精准的定向攻击。开发者应避免在生产环境中暴露内部细节,通过配置统一的通用错误页面、过滤敏感字段及记录日志而非直接展示,来防止敏感数据外泄。

MITRE CWE 官方描述
CWE:CWE-209 生成包含敏感信息的错误消息 (Generation of Error Message Containing Sensitive Information) 英文:产品生成的错误消息 (error message) 包含了关于其环境、用户或关联数据的敏感信息 (sensitive information)。
常见影响 (1)
ConfidentialityRead Application Data
Often this will either reveal sensitive information which may be used to launch another, more focused attack or disclose private information stored in the server. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In tur…
缓解措施 (5)
ImplementationEnsure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or…
ImplementationHandle exceptions internally and do not display errors containing potentially sensitive information to a user.
ImplementationUse naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Effectiveness: Defense in Depth
Implementation, Build and CompilationDebugging information should not make its way into a production release.
Implementation, Build and CompilationDebugging information should not make its way into a production release.
代码示例 (2)
In the following example, sensitive information might be printed depending on the exception that occurs.
try { /.../ } catch (Exception e) { System.out.println(e); }
Bad · Java
This code tries to open a database connection, and prints any exceptions that occur.
try { openDbConnection(); } //print exception message that includes exception message and configuration file location catch (Exception $e) { echo 'Caught exception: ', $e->getMessage(), '\n'; echo 'Check credentials in config file at: ', $Mysql_config_location, '\n'; }
Bad · PHP
CVE ID标题CVSS风险等级Published
CVE-2018-12536 Eclipse Jetty Server 信息泄露漏洞 — Eclipse Jetty 5.3 -2018-06-27
CVE-2018-1073 Red Hat ovirt-engine 信息泄露漏洞 — ovirt-engine 5.3 -2018-06-19
CVE-2017-2594 hawtio 路径遍历漏洞 — hawtio 7.5 -2018-05-08
CVE-2017-7551 389-ds-base 授权问题漏洞 — 389-ds-base 9.8 -2017-08-16
CVE-2017-0885 Nextcloud Server 安全漏洞 — Nextcloud Server 4.3 -2017-04-05
CVE-2016-9459 Nextcloud Server和ownCloud Server 跨站脚本漏洞 — Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 6.1 -2017-03-28
CVE-2012-0059 Red Hat Network Satellite和Proxy 加密问题漏洞 — Red Hat Enterprise Linux 6 4.9 Medium2014-02-05

CWE-209(通过错误消息导致的信息暴露) 是常见的弱点类别,本平台收录该类弱点关联的 307 条 CVE 漏洞。