Information Management Errors

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the...

The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sens...

The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the origi...

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the und...

The product generates an error message that includes sensitive information about its environment, users, or associated data.

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the ...

The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive ...

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.

The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or...

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control...

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information a...

The product stores sensitive information in a file system or device that does not have built-in access control.

The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development l...