Détail du CWE-922

CWE-922

Insecure Storage of Sensitive Information
Incomplete
2013-07-17
00h00 +00:00
2023-10-26
00h00 +00:00
CWE Mitre.org
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Gestion des notifications

Nom: Insecure Storage of Sensitive Information

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

Description du CWE

If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service.

Informations générales

Modes d'introduction

Architecture and Design : OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Implementation
System Configuration

Plateformes applicables

Langue

Class: Not Language-Specific (Undetermined)

Conséquences courantes

Portée Impact Probabilité
ConfidentialityRead Application Data, Read Files or Directories

Note: Attackers can read sensitive information by accessing the unrestricted storage mechanism.
IntegrityModify Application Data, Modify Files or Directories

Note: Attackers can overwrite sensitive information by accessing the unrestricted storage mechanism.

Exemples observés

Références Description

CVE-2009-2272

password and username stored in cleartext in a cookie

Méthodes de détection

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Efficacité : High

Notes de cartographie des vulnérabilités

Justification : This CWE entry is a Class and might have Base-level children that would be more appropriate
Commentaire : Examine children of this entry to see if there is a better fit

NotesNotes

There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data. While data tampering would be visible upon inspection, the integrity and availability of the data is compromised prior to the audit.
This is a high-level entry that includes children from various parts of the CWE research view (CWE-1000). Currently, most of the information is in these child entries. This entry will be made more comprehensive in later CWE versions.

Soumission

Nom Organisation Date Date de publication Version
CWE Content Team MITRE 2013-06-23 +00:00 2013-07-17 +00:00 2.5

Modifications

Nom Organisation Date Commentaire
CWE Content Team MITRE 2017-11-08 +00:00 updated Modes_of_Introduction, Relationships
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Maintenance_Notes
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Common_Consequences, Relationship_Notes
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2023-10-26 +00:00 updated Observed_Examples