CWE · MITRE source
CWE-209Generation of Error Message Containing Sensitive Information
The product generates an error message that includes sensitive information about its environment, users, or associated data.
Last updated: 04 July 2026 08:17 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 8 mapping(s) from 4 framework(s): CAPEC 3 (partial) · ATT&CK 3 (partial) · ASVS 5.0 1 (full) · OWASP-Web 1 (full)
OWASP Top 10 for Web (2025)
This weakness contributes to A10:2025 Mishandling of Exceptional Conditions.
NIST 800-53 r5 controls that address this weakness (6)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SI-11 | Error Handling | SI | Explicitly requires error messages to avoid including sensitive or exploitable details while still supporting corrective action. |
SI-15 | Information Output Filtering | SI | Validation ensures error messages contain only expected, non-sensitive content and blocks leakage via verbose errors. |
SI-17 | Fail-safe Procedures | SI | Fail-safe procedures can be defined to suppress or sanitize error output, reducing generation of messages that contain sensitive information. |
AU-13 | Monitoring for Information Disclosure | AU | Detects error messages that leak sensitive information as evidence of disclosure. |
IA-6 | Authentication Feedback | IA | The control directly mitigates generation of error messages containing sensitive authentication details by requiring obscured feedback instead of verbose responses. |
SC-30 | Concealment and Misdirection | SC | Misdirection allows generation of misleading error messages that withhold or falsify sensitive details. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2013-7331 KEV | 10.0 | 6.5 | 0.5802 | 2014-02-26 |
CVE-2024-29059 KEV UPD | 10.0 | 7.5 | 0.9883 | 2024-03-23 |
CVE-2025-47813 KEV UPD | 10.0 | 4.3 | 0.5637 | 2025-07-10 |
CVE-2010-3332 | 8.0 | 0.0 | 0.6748 | 2010-09-22 |
CVE-2021-22145 | 8.0 | 6.5 | 0.7625 | 2021-07-21 |
CVE-2025-62168 | 8.0 | 10.0 | 0.6332 | 2025-10-17 |
CVE-2017-7945 | 7.0 | 9.8 | 0.0184 | 2017-04-29 |
CVE-2017-7551 | 7.0 | 9.8 | 0.0142 | 2017-08-16 |
CVE-2018-11325 | 7.0 | 9.8 | 0.0380 | 2018-05-22 |
CVE-2018-14925 | 7.0 | 9.8 | 0.0154 | 2018-08-03 |
CVE-2019-7612 | 7.0 | 9.8 | 0.0241 | 2019-03-25 |
CVE-2019-7644 | 7.0 | 9.8 | 0.0166 | 2019-04-11 |
CVE-2022-31229 | 7.0 | 9.6 | 0.0071 | 2022-06-28 |
CVE-2022-34882 | 7.0 | 9.0 | 0.0073 | 2022-09-06 |
CVE-2021-42777 | 7.0 | 9.8 | 0.0096 | 2022-10-29 |
CVE-2023-40171 | 7.0 | 9.1 | 0.0076 | 2023-08-17 |
CVE-2023-40757 | 7.0 | 9.8 | 0.0075 | 2023-08-28 |
CVE-2023-40758 | 7.0 | 9.8 | 0.0075 | 2023-08-28 |
CVE-2023-40759 | 7.0 | 9.8 | 0.0075 | 2023-08-28 |
CVE-2023-40760 | 7.0 | 9.8 | 0.0075 | 2023-08-28 |
CVE-2023-40761 | 7.0 | 9.8 | 0.0075 | 2023-08-28 |
CVE-2023-40762 | 7.0 | 9.8 | 0.0075 | 2023-08-28 |
CVE-2023-40763 | 7.0 | 9.8 | 0.0089 | 2023-08-28 |
CVE-2023-40764 | 7.0 | 9.8 | 0.0075 | 2023-08-28 |
CVE-2023-40765 | 7.0 | 9.8 | 0.0075 | 2023-08-28 |