Cyber Resilience

CWE · MITRE source

CWE-212Improper Removal of Sensitive Information Before Storage or Transfer

Abstraction: Base · CVEs in our corpus: 116

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

Resources that may contain sensitive data include documents, packets, messages, databases, etc. While this data may be useful to an individual user or small set of users who share the resource, it may need to be removed before the resource can be shared outside of the trusted group. The process of removal is sometimes called cleansing or scrubbing. For example, a product for editing documents might not remove sensitive data such as reviewer comments or the local pathname where the document is stored. Or, a proxy might not remove an internal IP address from headers before making an outgoing request to an Internet site.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 19 mapping(s) from 5 framework(s): ATT&CK 12 (mostly) · STIG oracle linux 8 3 (mostly) · ASVS 5.0 2 (mostly) · STIG rhel 8 1 (partial) · STIG oracle linux 9 1 (partial)

See the full cumulative-coverage rollup →

NIST 800-53 r5 controls that address this weakness (8)AI

Showing the 7 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
SI-12Information Management and RetentionSIRetention policies enforce removal or sanitization of sensitive data before storage or transfer per regulatory requirements.
SI-18Personally Identifiable Information Quality OperationsSIThe explicit requirement to delete inaccurate/outdated PII implements proper removal of sensitive information before further storage or transfer.
SI-19De-identificationSIThe control implements proper removal of sensitive information before storage or transfer of datasets.
IR-9Information Spillage ResponseIREradication of spilled information from contaminated systems mitigates the effects of improper removal of sensitive data before storage or transfer.
MP-8Media DowngradingMPThe control requires verified removal of sensitive data before media is made available at a reduced classification level, directly addressing improper removal prior to storage or transfer.
PM-22Personally Identifiable Information Quality ManagementPMExplicit procedures to delete inaccurate or outdated PII directly mitigate improper removal of sensitive information before storage or transfer.
SR-12Component DisposalSRRequires explicit removal of sensitive information prior to component transfer or disposal, reducing exposure from retained data.
Show 1 more broadly-applicable controls
SI-21Information RefreshSIThe generate-on-demand-and-delete requirement enforces removal of sensitive information before storage or transfer, preventing improper retention.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2020-116847.09.10.01082020-09-14
CVE-2022-28187.09.80.01282022-08-15
CVE-2026-328917.09.00.00162026-03-20
CVE-2026-42880 UPD7.09.60.00502026-05-07
CVE-2002-07045.57.50.03242002-07-26
CVE-2017-151135.57.20.01162018-07-27
CVE-2018-63375.57.50.01782018-12-31
CVE-2019-112435.58.10.01492019-04-22
CVE-2019-134025.58.80.01522019-07-08
CVE-2020-19405.57.50.04512020-01-28
CVE-2019-206375.57.50.01752020-04-08
CVE-2020-150945.58.00.03042020-09-02
CVE-2021-03405.58.80.02062021-02-10
CVE-2021-31780 UPD5.57.50.01042021-04-23
CVE-2020-364765.57.50.01552021-08-23
CVE-2022-03555.58.80.02022022-01-26
CVE-2022-236335.57.40.02212022-02-11
CVE-2022-247985.57.50.01372022-03-31
CVE-2022-16505.58.10.01692022-05-12
CVE-2022-306175.58.80.01342022-05-19
CVE-2022-306185.57.50.00902022-05-19
CVE-2022-310425.57.50.01822022-06-10
CVE-2022-310435.57.50.01822022-06-10
CVE-2021-468135.57.50.00602022-06-13
CVE-2022-310905.57.70.01762022-06-27