CWE · MITRE source
CWE-497Exposure of Sensitive System Information to an Unauthorized Control Sphere
The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
Network-based products, such as web applications, often run on top of an operating system or similar environment. When the product communicates with outside parties, details about the underlying system are expected to remain hidden, such as path names for data files, other OS users, installed packages, the application environment, etc. This system information may be provided by the product itself, or buried within diagnostic or debugging messages. Debugging information helps an adversary learn about the system and form an attack plan. An information exposure occurs when system data or debugging information leaves the program through an output stream or logging function that makes it accessible to unauthorized parties. Using other weaknesses, an attacker could cause errors to occur; the response to these errors can reveal detailed system information, along with other impacts. An attacker can use messages that reveal technologies, operating systems, and product versions to tune the attack against known vulnerabilities in these technologies. A product may use diagnostic methods that provide significant implementation details such as stack traces as part of its error handling mechanism.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (10)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AC-22 | Publicly Accessible Content | AC | Ongoing reviews detect and remove sensitive system information before it reaches publicly accessible systems. |
AC-23 | Data Mining Protection | AC | Employs detection to prevent unauthorized mining of sensitive system information from being exfiltrated to external control spheres. |
SI-11 | Error Handling | SI | Ensures sensitive system information is not disclosed outside the intended control sphere through error output. |
SI-20 | Tainting | SI | The control detects removal of sensitive system information into an unauthorized control sphere. |
CM-12 | Information Location | CM | Documenting where system information is processed and stored prevents exposure to unauthorized control spheres. |
PE-19 | Information Leakage | PE | The control stops sensitive system information from crossing into unauthorized control spheres through EM emanations. |
PM-25 | Minimization of Personally Identifiable Information Used in Testing, Training, and Research | PM | Authorization and minimization requirements keep PII out of test/research control spheres that often lack production-grade protections. |
RA-2 | Security Categorization | RA | Documented categorization of system information reduces the chance that sensitive internals are left exposed to unauthorized spheres. |
SC-30 | Concealment and Misdirection | SC | System information is concealed or replaced with decoys, reducing leakage to unauthorized observers. |
SR-7 | Supply Chain Operations Security | SR | Protecting supply-chain artifacts reduces exposure of sensitive system information outside its intended control sphere. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2025-34442 | 4.3 | 7.5 | 0.4749 | 2025-12-17 |
CVE-2021-31955 KEV | 3.3 | 5.5 | 0.0407 | 2021-06-08 |
CVE-2024-5735 | 3.3 | 7.5 | 0.3021 | 2024-06-28 |
CVE-2020-25179 | 2.0 | 9.8 | 0.0022 | 2020-12-14 |
CVE-2023-0342 | 2.0 | 3.1 | 0.2303 | 2023-06-09 |
CVE-2024-36554 | 2.0 | 9.8 | 0.0013 | 2025-02-06 |
CVE-2025-1144 | 2.0 | 9.8 | 0.0035 | 2025-02-11 |
CVE-2025-5893 | 2.0 | 9.8 | 0.0059 | 2025-06-09 |
CVE-2025-6561 | 2.0 | 9.8 | 0.0059 | 2025-06-26 |
CVE-2025-10264 | 2.0 | 10.0 | 0.0007 | 2025-09-12 |
CVE-2025-44823 | 2.0 | 9.9 | 0.0083 | 2025-10-07 |
CVE-2025-47699 | 2.0 | 9.9 | 0.0006 | 2025-10-23 |
CVE-2024-13999 | 2.0 | 9.8 | 0.0084 | 2025-10-30 |
CVE-2026-27494 | 2.0 | 9.9 | 0.0009 | 2026-02-25 |
CVE-2023-32550 | 1.9 | 9.3 | 0.0022 | 2023-06-06 |
CVE-2024-4008 | 1.9 | 9.6 | 0.0024 | 2024-06-05 |
CVE-2024-13995 | 1.9 | 8.8 | 0.0167 | 2025-10-30 |
CVE-2022-1902 | 1.8 | 8.8 | 0.0082 | 2022-09-01 |
CVE-2024-39675 | 1.8 | 8.8 | 0.0009 | 2024-07-09 |
CVE-2025-9364 | 1.8 | 8.8 | 0.0002 | 2025-09-09 |
CVE-2025-12779 | 1.8 | 8.8 | 0.0002 | 2025-11-05 |
CVE-2022-28651 | 1.7 | 8.4 | 0.0000 | 2022-04-05 |
CVE-2025-0061 | 1.7 | 8.7 | 0.0015 | 2025-01-14 |
CVE-2024-12367 | 1.7 | 8.6 | 0.0006 | 2025-09-16 |
CVE-2026-34413 | 1.7 | 8.6 | 0.0041 | 2026-04-22 |