LIVE NEWSROOM · --:-- · May 24, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CWE WEAKNESSES  /  CWE-200

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

Class EXPLOIT LIKELIHOOD: HIGH

What it is

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

There are many different kinds of mistakes that introduce information exposures. The severity of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. Some kinds of sensitive information include:- private, personal information, such as personal messages, financial data, health records, geographic location, or contact details- system status and environment, such as the operating system and installed packages- business secrets and intellectual property- network status and configuration- the product's own code or internal state- metadata, e.g. logging of connections or message headers- indirect information, such as a discrepancy between two internal operations that can be observed by an outsiderInformation might be sensitive to diff

Impact

ConfidentialityRead Application Data

Mitigations

  • [Architecture and Design]Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separ

Real-world CVE examples

  • CVE-2022-31162 — Rust library leaks Oauth client details in application debug logs
  • CVE-2021-25476 — Digital Rights Management (DRM) capability for mobile platform leaks pointer information, simplifying ASLR bypass
  • CVE-2001-1483 — Enumeration of valid usernames based on inconsistent responses
  • CVE-2001-1528 — Account number enumeration via inconsistent responses.
  • CVE-2004-2150 — User enumeration via discrepancies in error messages.
  • CVE-2005-1205 — Telnet protocol allows servers to obtain sensitive environment information from clients.
  • CVE-2002-1725 — Script calls phpinfo(), revealing system configuration to web user
  • CVE-2002-0515 — Product sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by compa
  • CVE-2004-0778 — Version control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, w
  • CVE-2000-1117 — Virtual machine allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResou
  • CVE-2003-0190 — Product immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
  • CVE-2008-2049 — POP3 server reveals a password in an error message after multiple APOP commands are sent. Might be resultant from another weakness.

Related weaknesses

Test & detect

Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.

Source: MITRE CWE. View on cwe.mitre.org →

Scroll to Top