Cyber Posture

CWE · MITRE source

CWE-212Improper Removal of Sensitive Information Before Storage or Transfer

Abstraction: Base · CVEs in our corpus: 109

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

Resources that may contain sensitive data include documents, packets, messages, databases, etc. While this data may be useful to an individual user or small set of users who share the resource, it may need to be removed before the resource can be shared outside of the trusted group. The process of removal is sometimes called cleansing or scrubbing. For example, a product for editing documents might not remove sensitive data such as reviewer comments or the local pathname where the document is stored. Or, a proxy might not remove an internal IP address from headers before making an outgoing request to an Internet site.

Last updated: 09 May 2026 03:25 UTC

NIST 800-53 r5 controls that address this weakness (8)AI

Showing the 7 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
SI-12Information Management and RetentionSIRetention policies enforce removal or sanitization of sensitive data before storage or transfer per regulatory requirements.
SI-18Personally Identifiable Information Quality OperationsSIThe explicit requirement to delete inaccurate/outdated PII implements proper removal of sensitive information before further storage or transfer.
SI-19De-identificationSIThe control implements proper removal of sensitive information before storage or transfer of datasets.
IR-9Information Spillage ResponseIREradication of spilled information from contaminated systems mitigates the effects of improper removal of sensitive data before storage or transfer.
MP-8Media DowngradingMPThe control requires verified removal of sensitive data before media is made available at a reduced classification level, directly addressing improper removal prior to storage or transfer.
PM-22Personally Identifiable Information Quality ManagementPMExplicit procedures to delete inaccurate or outdated PII directly mitigate improper removal of sensitive information before storage or transfer.
SR-12Component DisposalSRRequires explicit removal of sensitive information prior to component transfer or disposal, reducing exposure from retained data.
Show 1 more broadly-applicable controls
SI-21Information RefreshSIThe generate-on-demand-and-delete requirement enforces removal of sensitive information before storage or transfer, preventing improper retention.

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2022-28182.19.80.01502022-08-15
CVE-2021-03401.98.80.02622021-02-10
CVE-2026-428801.99.60.00032026-05-07
CVE-2019-134021.88.80.00402019-07-08
CVE-2020-116841.89.10.00172020-09-14
CVE-2022-03551.88.80.00462022-01-26
CVE-2022-306171.88.80.00482022-05-19
CVE-2022-310901.87.70.04982022-06-27
CVE-2026-328911.89.00.00022026-03-20
CVE-2020-150941.78.00.02252020-09-02
CVE-2022-16501.78.10.01542022-05-12
CVE-2022-311121.78.20.00602022-06-30
CVE-2022-393931.78.60.00332022-11-10
CVE-2002-07041.67.50.01082002-07-26
CVE-2019-112431.68.10.00242019-04-22
CVE-2022-310421.67.50.01452022-06-10
CVE-2022-310431.67.50.01452022-06-10
CVE-2022-47341.68.10.00342022-12-27
CVE-2024-84741.67.50.00842025-01-06
CVE-2024-433841.68.00.00042026-05-07
CVE-2017-151131.57.20.00342018-07-27
CVE-2018-63371.57.50.00272018-12-31
CVE-2020-19401.57.50.00692020-01-28
CVE-2019-206371.57.50.00482020-04-08
CVE-2021-317801.57.50.00352021-04-23