CWE-209 570 個 CVE MITRE 定義 ↗

CWE-209:Generation of Error Message Containing Sensitive Information

概覽

CWE-209(Generation of Error Message Containing Sensitive Information)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product generates an error message that includes sensitive information about its environment, users, or associated data.

適用平台

類型 名稱 普遍性 OS / CPE
language PHP Often
language Java Often
language Not Language-Specific Undetermined
technology Not Technology-Specific Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-56139 2026-07-06 Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Undertow Component. The camel-undertow HTTP server consumer exposes a muteException option that controls wha…
CVE-2026-49365 2026-07-06 Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Netty HTTP component. The camel-netty-http HTTP server consumer exposes a muteException option that controls…
CVE-2026-53906 2026-07-01 MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related to data export and upload. Improper validation of the filename parameter allows writing files to arbitrar…
CVE-2026-56331 2026-06-30 Capgo before 12.128.2 contains improper error handling in the /private/accept_invitation endpoint that returns HTTP 500 instead of safe 4xx errors when magic_invite_string is invalid. Attackers can tr…
CVE-2025-36328 2026-06-30 IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.  This informa…
CVE-2026-47775 2026-06-26 Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, the OAuth2 HTTP filter's encrypt()/decrypt() functions use AES-256-…
CVE-2026-49979 2026-06-24 Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values an…
CVE-2025-59872 2026-06-17 HCL ZIE for Web is affetced by an Unrestricted File Upload vulnerability, If the server is configured to execute code, then it may be possible to obtain command execution on the server by uploading a …
CVE-2026-47248 2026-06-12 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema met…
CVE-2026-40997 2026-06-11 Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callb…
CVE-2026-41730 2026-06-09 Spring Data REST serializes the full exception cause chain into HTTP error response bodies, potentially exposing persistence-layer internals to HTTP clients. Affected versions: Spring Data REST 3.7.0…
CVE-2025-52611 2026-06-04 HCL iControl v4.0.0 was affected by Unhandled Exception - Stack Trace Disclosure vulnerability. The error occurs due to an undefined property being accessed in the application's JavaScript code. Speci…
CVE-2025-52606 2026-06-04 HCL iControl was affected by Weak Input Validation vulnerability. This weakness is caused during implementation of an architectural security tactic. Received input that is expected to be of a certain …
CVE-2026-9794 2026-05-28 A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced …
CVE-2026-42459 2026-05-27 free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the free5GC UDM component fails to validate the supi path parameter in six GET handlers of the nudm-sdm (Subscriber Dat…
CVE-2026-1248 2026-05-27 IBM Business Automation Workflow containers and traditional may leak information about its database structure in error messages.
CVE-2024-28765 2026-05-27 IBM SDI 7.2.0.0 through 7.2.0.14 and IBM Security Directory Integrator 10.0.0.0 through 10.0.0.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message i…
CVE-2026-9583 2026-05-26 A weakness has been identified in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This impacts an unknown function of the file /index.php of the component SQL Handler. Ex…
CVE-2026-45728 2026-05-26 Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly…
CVE-2026-5511 2026-05-19 In the web management interface of Archer AX72 (SG) v1, the network diagnostic feature improperly handles invalid user input, resulting in limited exposure of diagnostic command usage information.  …

曾用名

  • Error Message Information Leaks (2009-01-12)
  • Error Message Information Leak (2009-12-28)
  • Information Exposure Through an Error Message (2020-02-24)

內容提交

名稱
CLASP
日期
2006-07-19
版本
Draft 3

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Eric Dalci 1.0 updated Time_of_Introduction
2008-08-15 1.0 Suggested OWASP Top Ten 2004 mapping
2008-09-08 CWE Content Team 1.0 updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
2008-10-14 CWE Content Team 1.0.1 updated Relationships
2009-01-12 CWE Content Team 1.2 updated Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
2009-03-10 CWE Content Team 1.3 updated Demonstrative_Examples, Potential_Mitigations, Relationships
2009-12-28 CWE Content Team 1.7 updated Demonstrative_Examples, Name, Potential_Mitigations, References, Time_of_Introduction
2010-02-16 CWE Content Team 1.8 updated Detection_Factors, References, Relationships
2010-04-05 CWE Content Team 1.8.1 updated Related_Attack_Patterns
2010-06-21 CWE Content Team 1.9 updated Common_Consequences, Detection_Factors, Potential_Mitigations, References
2010-09-09 1.10 Suggested OWASP Top Ten mapping
2010-09-27 CWE Content Team 1.10 updated Potential_Mitigations, Relationships
2011-03-29 CWE Content Team 1.12 updated Demonstrative_Examples, Observed_Examples, Relationships
2011-06-01 CWE Content Team 1.13 updated Relationships, Taxonomy_Mappings
2011-06-27 CWE Content Team 2.0 updated Relationships
2011-09-13 CWE Content Team 2.1 updated Relationships, Taxonomy_Mappings
2012-05-11 CWE Content Team 2.2 updated References, Related_Attack_Patterns, Relationships
2013-07-17 CWE Content Team 2.5 updated References
2014-06-23 CWE Content Team 2.7 updated Relationships
2014-07-30 CWE Content Team 2.8 updated Relationships, Taxonomy_Mappings
2017-11-08 CWE Content Team 3.0 updated Applicable_Platforms, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings
2018-03-27 CWE Content Team 3.1 updated References, Relationships
2019-01-03 CWE Content Team 3.2 updated Taxonomy_Mappings
2019-06-20 CWE Content Team 3.3 updated Relationships
2019-09-19 CWE Content Team 3.4 updated Demonstrative_Examples, Observed_Examples
2020-02-24 CWE Content Team 4.0 updated Applicable_Platforms, Description, Name, Observed_Examples, References, Relationships, Weakness_Ordinalities
2020-12-10 CWE Content Team 4.3 updated Potential_Mitigations, Related_Attack_Patterns
2021-07-20 CWE Content Team 4.5 updated Relationships
2021-10-28 CWE Content Team 4.6 updated Relationships
2022-10-13 CWE Content Team 4.9 updated Demonstrative_Examples
2023-01-31 CWE Content Team 4.10 updated Description
2023-04-27 CWE Content Team 4.11 updated Detection_Factors, References, Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2025-09-09 CWE Content Team 4.18 updated Common_Consequences, Description, Diagram, Other_Notes, References
2025-12-11 CWE Content Team 4.19 updated Applicable_Platforms, Relationships

貢獻

類型 名稱 日期 評論
Feedback Nick Johnston 2022-07-11 Identified incorrect language tag in demonstrative example.
cvelogic Threat Intelligence