CWE-212
AllowedImproper Removal of Sensitive Information Before Storage or Transfer
Abstraction: Base · Status: Incomplete
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
155 vulnerabilities reference this CWE, most recent first.
GHSA-GXPP-9RC5-5W9W
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2026-06-22 21:30In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. When an object has a sharing group associated with an event edit, the sharing group object is ignored and instead the passed local ID is reused.
{
"affected": [],
"aliases": [
"CVE-2021-31780"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-23T20:15:00Z",
"severity": "HIGH"
},
"details": "In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. When an object has a sharing group associated with an event edit, the sharing group object is ignored and instead the passed local ID is reused.",
"id": "GHSA-gxpp-9rc5-5w9w",
"modified": "2026-06-22T21:30:43Z",
"published": "2022-05-24T17:48:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31780"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/a0f08501d2850025892e703f40fb1570c7995478"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H2VV-CMJP-M2W5
Vulnerability from github – Published: 2022-05-24 17:13 – Updated: 2022-05-24 17:13An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connection workspace, such as data structures associated with previous requests within this connection or VCL-related temporary headers.
{
"affected": [],
"aliases": [
"CVE-2019-20637"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-212"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-08T23:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connection workspace, such as data structures associated with previous requests within this connection or VCL-related temporary headers.",
"id": "GHSA-h2vv-cmjp-m2w5",
"modified": "2022-05-24T17:13:55Z",
"published": "2022-05-24T17:13:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20637"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00026.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00031.html"
},
{
"type": "WEB",
"url": "http://varnish-cache.org/security/VSV00004.html#vsv00004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HCF8-5J78-887V
Vulnerability from github – Published: 2024-07-17 15:30 – Updated: 2025-02-13 18:49In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password, salt value, etc.
Mitigation:
all users should upgrade to 2.1.4
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.streampark:streampark"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-29120"
],
"database_specific": {
"cwe_ids": [
"CWE-212",
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-14T22:46:02Z",
"nvd_published_at": "2024-07-17T15:15:14Z",
"severity": "MODERATE"
},
"details": "In Streampark (version \u003c 2.1.4), when a user logged in successfully, the Backend service would return \"Authorization\" as the front-end authentication credential. User can use this credential to request other users\u0027 information, including the administrator\u0027s username, password, salt value, etc.\u00a0\n\nMitigation:\n\nall users should upgrade to 2.1.4",
"id": "GHSA-hcf8-5j78-887v",
"modified": "2025-02-13T18:49:53Z",
"published": "2024-07-17T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29120"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/incubator-streampark"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/y3oqz7l8vd7jxxx3z2khgl625nvfr60j"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/07/17/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Apache StreamPark: Information leakage vulnerability"
}
GHSA-HGQP-F75H-6P8R
Vulnerability from github – Published: 2025-02-26 18:30 – Updated: 2025-02-26 18:30A vulnerability in the implementation of the internal system processes of Cisco APIC could allow an authenticated, local attacker to access sensitive information on an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials.
This vulnerability is due to insufficient masking of sensitive information that is displayed through system CLI commands. An attacker could exploit this vulnerability by using reconnaissance techniques at the device CLI. A successful exploit could allow the attacker to access sensitive information on an affected device that could be used for additional attacks.
{
"affected": [],
"aliases": [
"CVE-2025-20118"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T17:15:22Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the implementation of the internal system processes of Cisco APIC could allow an authenticated, local attacker to access sensitive information on an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials.\n\nThis vulnerability is due to insufficient masking of sensitive information that is displayed through system CLI commands. An attacker could exploit this vulnerability by using reconnaissance techniques at the device CLI. A successful exploit could allow the attacker to access sensitive information on an affected device that could be used for additional attacks.",
"id": "GHSA-hgqp-f75h-6p8r",
"modified": "2025-02-26T18:30:39Z",
"published": "2025-02-26T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20118"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apic-multi-vulns-9ummtg5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J45V-G64G-45W2
Vulnerability from github – Published: 2022-05-13 01:28 – Updated: 2022-05-13 01:28A vulnerability was discovered in oVirt 4.1.x before 4.1.9, where the combination of Enable Discard and Wipe After Delete flags for VM disks managed by oVirt, could cause a disk to be incompletely zeroed when removed from a VM. If the same storage blocks happen to be later allocated to a new disk attached to another VM, potentially sensitive data could be revealed to privileged users of that VM.
{
"affected": [],
"aliases": [
"CVE-2018-1062"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-06T15:29:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was discovered in oVirt 4.1.x before 4.1.9, where the combination of Enable Discard and Wipe After Delete flags for VM disks managed by oVirt, could cause a disk to be incompletely zeroed when removed from a VM. If the same storage blocks happen to be later allocated to a new disk attached to another VM, potentially sensitive data could be revealed to privileged users of that VM.",
"id": "GHSA-j45v-g64g-45w2",
"modified": "2022-05-13T01:28:19Z",
"published": "2022-05-13T01:28:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1062"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2018:0135"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1549944"
},
{
"type": "WEB",
"url": "https://gerrit.ovirt.org/#/c/84861"
},
{
"type": "WEB",
"url": "https://gerrit.ovirt.org/#/c/84875"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103433"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J4CW-MCG2-2Q78
Vulnerability from github – Published: 2026-06-14 06:30 – Updated: 2026-06-17 18:35In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue.
{
"affected": [],
"aliases": [
"CVE-2026-54421"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-14T04:16:30Z",
"severity": "MODERATE"
},
"details": "In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue.",
"id": "GHSA-j4cw-mcg2-2q78",
"modified": "2026-06-17T18:35:20Z",
"published": "2026-06-14T06:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54421"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/ironic/+bug/2155049"
},
{
"type": "WEB",
"url": "https://security.openstack.org/ossa/OSSA-2026-023.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/06/16/10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J4PR-3WM6-XX2R
Vulnerability from github – Published: 2025-12-30 21:07 – Updated: 2026-05-29 21:45Impact
In affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials.
When using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure.
The vulnerability affects the uri gem bundled with the following Ruby series:
- 0.12.4 and earlier (bundled in Ruby 3.2 series)
- 0.13.2 and earlier (bundled in Ruby 3.3 series)
- 1.0.3 and earlier (bundled in Ruby 3.4 series)
Patches
Upgrade to 0.12.5, 0.13.3 or 1.0.4
References
- https://www.ruby-lang.org/en/news/2025/02/26/security-advisories/
- https://hackerone.com/reports/2957667
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "uri"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.12.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "uri"
},
"ranges": [
{
"events": [
{
"introduced": "0.13.0"
},
{
"fixed": "0.13.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "uri"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-61594"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-212"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-30T21:07:14Z",
"nvd_published_at": "2025-12-30T21:15:43Z",
"severity": "LOW"
},
"details": "### Impact\n\nIn affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials.\n\nWhen using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure.\n\nThe vulnerability affects the `uri` gem bundled with the following Ruby series:\n\n* 0.12.4 and earlier (bundled in Ruby 3.2 series)\n* 0.13.2 and earlier (bundled in Ruby 3.3 series)\n* 1.0.3 and earlier (bundled in Ruby 3.4 series)\n\n### Patches\n\nUpgrade to 0.12.5, 0.13.3 or 1.0.4\n\n### References\n\n* https://www.ruby-lang.org/en/news/2025/02/26/security-advisories/\n* https://hackerone.com/reports/2957667",
"id": "GHSA-j4pr-3wm6-xx2r",
"modified": "2026-05-29T21:45:59Z",
"published": "2025-12-30T21:07:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61594"
},
{
"type": "WEB",
"url": "https://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902"
},
{
"type": "WEB",
"url": "https://github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c"
},
{
"type": "WEB",
"url": "https://github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2957667"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-22h5-pq3x-2gf2"
},
{
"type": "PACKAGE",
"url": "https://github.com/ruby/uri"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml"
},
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/news/2025/02/26/security-advisories"
},
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "URI Credential Leakage Bypass over CVE-2025-27221"
}
GHSA-J593-H5V3-45X6
Vulnerability from github – Published: 2022-12-27 15:30 – Updated: 2023-01-10 15:38usememos/memos 0.9.0 and prior has endpoint that leaks user information like names, email, role, and OpenID to an authenticated user. A patch is available at commit 05b41804e33a34102f1f75bb2d69195dda6a1210 on the main branch.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/usememos/memos"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-4734"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-212"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-30T17:56:48Z",
"nvd_published_at": "2022-12-27T15:15:00Z",
"severity": "MODERATE"
},
"details": "usememos/memos 0.9.0 and prior has endpoint that leaks user information like names, email, role, and OpenID to an authenticated user. A patch is available at commit 05b41804e33a34102f1f75bb2d69195dda6a1210 on the `main` branch.",
"id": "GHSA-j593-h5v3-45x6",
"modified": "2023-01-10T15:38:25Z",
"published": "2022-12-27T15:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4734"
},
{
"type": "WEB",
"url": "https://github.com/usememos/memos/commit/05b41804e33a34102f1f75bb2d69195dda6a1210"
},
{
"type": "PACKAGE",
"url": "https://github.com/usememos/memos"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/4b4421dc-73af-4dec-884c-836f9732cb5b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "usememos/memos may leak user information to an authenticated user"
}
GHSA-J9PV-RRCJ-6PFX
Vulnerability from github – Published: 2026-04-02 21:01 – Updated: 2026-04-02 21:01Summary
SSH-based sandbox backends pass unsanitized process.env to child processes
Current Maintainer Triage
- Status: narrow
- Normalized severity: low
- Assessment: Shipped SSH sandbox paths leaked unsanitized env into local SSH child processes, but remote leakage needs non-default SSH env forwarding, so lower to low.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
cfe14459531e002a1c61c27d97ec7dc8aecddc1f— 2026-03-30T20:05:57+01:00
OpenClaw thanks @AntAISecurityLab for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.28"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-02T21:01:57Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\nSSH-based sandbox backends pass unsanitized process.env to child processes\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: low\n- Assessment: Shipped SSH sandbox paths leaked unsanitized env into local SSH child processes, but remote leakage needs non-default SSH env forwarding, so lower to low.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `cfe14459531e002a1c61c27d97ec7dc8aecddc1f` \u2014 2026-03-30T20:05:57+01:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
"id": "GHSA-j9pv-rrcj-6pfx",
"modified": "2026-04-02T21:01:57Z",
"published": "2026-04-02T21:01:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j9pv-rrcj-6pfx"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/cfe14459531e002a1c61c27d97ec7dc8aecddc1f"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: SSH-based sandbox backends pass unsanitized process.env to child processes"
}
GHSA-JJ45-JP8R-QCJX
Vulnerability from github – Published: 2022-04-30 18:19 – Updated: 2024-02-03 03:30The Network Address Translation (NAT) capability for Netfilter ("iptables") 1.2.6a and earlier leaks translated IP addresses in ICMP error messages.
{
"affected": [],
"aliases": [
"CVE-2002-0704"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2002-07-26T04:00:00Z",
"severity": "MODERATE"
},
"details": "The Network Address Translation (NAT) capability for Netfilter (\"iptables\") 1.2.6a and earlier leaks translated IP addresses in ICMP error messages.",
"id": "GHSA-jj45-jp8r-qcjx",
"modified": "2024-02-03T03:30:26Z",
"published": "2022-04-30T18:19:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0704"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=102088521517722\u0026w=2"
},
{
"type": "WEB",
"url": "http://online.securityfocus.com/advisories/4116"
},
{
"type": "WEB",
"url": "http://www.iss.net/security_center/static/9043.php"
},
{
"type": "WEB",
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-030.php"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2002-086.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/4699"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Clearly specify which information should be regarded as private or sensitive, and require that the product offers functionality that allows the user to cleanse the sensitive information from the resource before it is published or exported to other parties.
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-57
Strategy: Attack Surface Reduction
- Some tools can automatically analyze documents to redact, strip, or "sanitize" private information, although some human review might be necessary. Tools may vary in terms of which document formats can be processed.
- When calling an external program to automatically generate or convert documents, invoke the program with any available options that avoid generating sensitive metadata. Some formats have well-defined fields that could contain private data, such as Exchangeable image file format (Exif), which can contain potentially sensitive metadata such as geolocation, date, and time [REF-1515] [REF-1516].
Mitigation MIT-33
Strategy: Attack Surface Reduction
Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Mitigation
Avoid errors related to improper resource shutdown or release (CWE-404), which may leave the sensitive data within the resource if it is in an incomplete state.
CAPEC-168: Windows ::DATA Alternate Data Stream
An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security. ADS allows multiple "files" to be stored in one directory entry referenced as filename:streamname. One or more alternate data streams may be stored in any file or directory. Normal Microsoft utilities do not show the presence of an ADS stream attached to a file. The additional space for the ADS is not recorded in the displayed file size. The additional space for ADS is accounted for in the used space on the volume. An ADS can be any type of file. ADS are copied by standard Microsoft utilities between NTFS volumes. ADS can be used by an attacker or intruder to hide tools, scripts, and data from detection by normal system utilities. Many anti-virus programs do not check for or scan ADS. Windows Vista does have a switch (-R) on the command line DIR command that will display alternate streams.