{"@ID": "223", "@Name": "Omission of Security-relevant Information", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.", "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "221", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": [{"Ordinality": "Primary"}, {"Ordinality": "Resultant"}]}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design", "Note": "OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase."}, {"Phase": "Implementation"}, {"Phase": "Operation"}]}, "Common_Consequences": {"Consequence": {"Scope": "Non-Repudiation", "Impact": "Hide Activities", "Note": "The source of an attack will be difficult or impossible to determine. This can allow attacks to the system to continue without notice."}}, "Demonstrative_Examples": {"Demonstrative_Example": [{"@Demonstrative_Example_ID": "DX-174", "Intro_Text": "This code logs suspicious multiple login attempts.", "Example_Code": {"@Nature": "Bad", "@Language": "PHP", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:div": [{"@style": "margin-left:1em;", "#text": "return True;"}, {"@style": "margin-left:1em;", "xhtml:br": null, "xhtml:div": {"@style": "margin-left:1em;", "#text": "writeLog(\"Failed login attempt by User: \" . $userName . \" at \" + date('r') );"}, "#text": "incrementLoginAttempts($userName);if(recentLoginAttempts($userName) > 5){}"}], "xhtml:br": null, "#text": "if(authenticate($userName,$password)){}else{}"}}, "#text": "function login($userName,$password){}"}}, "Body_Text": "This code only logs failed login attempts when a certain limit is reached. If an attacker knows this limit, they can stop their attack from being discovered by avoiding the limit."}, {"@Demonstrative_Example_ID": "DX-175", "Intro_Text": "This code prints the contents of a file if a user has permission.", "Example_Code": {"@Nature": "Bad", "@Language": "PHP", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null], "xhtml:i": "//resolve file if its a symbolic link", "xhtml:div": [{"@style": "margin-left:1em;", "#text": "$realFile = readlink($filename);"}, {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "echo file_get_contents($realFile);return;"}, {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "echo 'Access denied';writeLog($user . ' attempted to access the file '. $filename . ' on '. date('r'));"}], "#text": "$user = getCurrentUser();$realFile = $filename;\n                           \n                           \n                           if(is_link($filename)){}\n                           if(fileowner($realFile) == $user){}else{}"}}, "#text": "function readFile($filename){}"}}, "Body_Text": "While the code logs a bad access attempt, it logs the user supplied name for the file, not the canonicalized file name. An attacker can obscure their target by giving the script the name of a link to the file they are attempting to access. Also note this code contains a race condition between the is_link() and readlink() functions (CWE-363)."}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-1999-1029", "Description": "Login attempts are not recorded if the user disconnects before the maximum number of tries.", "Link": "https://www.cve.org/CVERecord?id=CVE-1999-1029"}, {"Reference": "CVE-2002-1839", "Description": "Sender's IP address not recorded in outgoing e-mail.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1839"}, {"Reference": "CVE-2000-0542", "Description": "Failed authentication attempts are not recorded if later attempt succeeds.", "Link": "https://www.cve.org/CVERecord?id=CVE-2000-0542"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": {"@Taxonomy_Name": "PLOVER", "Entry_Name": "Omission of Security-relevant Information"}}, "References": {"Reference": {"@External_Reference_ID": "REF-62", "@Section": "Chapter 2, \"Accountability\", Page 40"}}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-07-27", "Modification_Version": "1.5", "Modification_ReleaseDate": "2009-07-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-03-29", "Modification_Version": "1.12", "Modification_ReleaseDate": "2011-03-30", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Common_Consequences, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2018-03-27", "Modification_Version": "3.1", "Modification_ReleaseDate": "2018-03-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-10-26", "Modification_Version": "4.13", "Modification_ReleaseDate": "2023-10-26", "Modification_Comment": "updated Demonstrative_Examples, Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-04-03", "Modification_Version": "4.17", "Modification_ReleaseDate": "2025-04-03", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Relationships, Weakness_Ordinalities"}]}}
