CWE · MITRE source
CWE-212Improper Removal of Sensitive Information Before Storage or Transfer
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
Resources that may contain sensitive data include documents, packets, messages, databases, etc. While this data may be useful to an individual user or small set of users who share the resource, it may need to be removed before the resource can be shared outside of the trusted group. The process of removal is sometimes called cleansing or scrubbing. For example, a product for editing documents might not remove sensitive data such as reviewer comments or the local pathname where the document is stored. Or, a proxy might not remove an internal IP address from headers before making an outgoing request to an Internet site.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 19 mapping(s) from 5 framework(s): ATT&CK 12 (mostly) · STIG oracle linux 8 3 (mostly) · ASVS 5.0 2 (mostly) · STIG rhel 8 1 (partial) · STIG oracle linux 9 1 (partial)
NIST 800-53 r5 controls that address this weakness (8)AI
Showing the 7 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SI-12 | Information Management and Retention | SI | Retention policies enforce removal or sanitization of sensitive data before storage or transfer per regulatory requirements. |
SI-18 | Personally Identifiable Information Quality Operations | SI | The explicit requirement to delete inaccurate/outdated PII implements proper removal of sensitive information before further storage or transfer. |
SI-19 | De-identification | SI | The control implements proper removal of sensitive information before storage or transfer of datasets. |
IR-9 | Information Spillage Response | IR | Eradication of spilled information from contaminated systems mitigates the effects of improper removal of sensitive data before storage or transfer. |
MP-8 | Media Downgrading | MP | The control requires verified removal of sensitive data before media is made available at a reduced classification level, directly addressing improper removal prior to storage or transfer. |
PM-22 | Personally Identifiable Information Quality Management | PM | Explicit procedures to delete inaccurate or outdated PII directly mitigate improper removal of sensitive information before storage or transfer. |
SR-12 | Component Disposal | SR | Requires explicit removal of sensitive information prior to component transfer or disposal, reducing exposure from retained data. |
Show 1 more broadly-applicable controls
SI-21 | Information Refresh | SI | The generate-on-demand-and-delete requirement enforces removal of sensitive information before storage or transfer, preventing improper retention. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2020-11684 | 7.0 | 9.1 | 0.0108 | 2020-09-14 |
CVE-2022-2818 | 7.0 | 9.8 | 0.0128 | 2022-08-15 |
CVE-2026-32891 | 7.0 | 9.0 | 0.0016 | 2026-03-20 |
CVE-2026-42880 UPD | 7.0 | 9.6 | 0.0050 | 2026-05-07 |
CVE-2002-0704 | 5.5 | 7.5 | 0.0324 | 2002-07-26 |
CVE-2017-15113 | 5.5 | 7.2 | 0.0116 | 2018-07-27 |
CVE-2018-6337 | 5.5 | 7.5 | 0.0178 | 2018-12-31 |
CVE-2019-11243 | 5.5 | 8.1 | 0.0149 | 2019-04-22 |
CVE-2019-13402 | 5.5 | 8.8 | 0.0152 | 2019-07-08 |
CVE-2020-1940 | 5.5 | 7.5 | 0.0451 | 2020-01-28 |
CVE-2019-20637 | 5.5 | 7.5 | 0.0175 | 2020-04-08 |
CVE-2020-15094 | 5.5 | 8.0 | 0.0304 | 2020-09-02 |
CVE-2021-0340 | 5.5 | 8.8 | 0.0206 | 2021-02-10 |
CVE-2021-31780 UPD | 5.5 | 7.5 | 0.0104 | 2021-04-23 |
CVE-2020-36476 | 5.5 | 7.5 | 0.0155 | 2021-08-23 |
CVE-2022-0355 | 5.5 | 8.8 | 0.0202 | 2022-01-26 |
CVE-2022-23633 | 5.5 | 7.4 | 0.0221 | 2022-02-11 |
CVE-2022-24798 | 5.5 | 7.5 | 0.0137 | 2022-03-31 |
CVE-2022-1650 | 5.5 | 8.1 | 0.0169 | 2022-05-12 |
CVE-2022-30617 | 5.5 | 8.8 | 0.0134 | 2022-05-19 |
CVE-2022-30618 | 5.5 | 7.5 | 0.0090 | 2022-05-19 |
CVE-2022-31042 | 5.5 | 7.5 | 0.0182 | 2022-06-10 |
CVE-2022-31043 | 5.5 | 7.5 | 0.0182 | 2022-06-10 |
CVE-2021-46813 | 5.5 | 7.5 | 0.0060 | 2022-06-13 |
CVE-2022-31090 | 5.5 | 7.7 | 0.0176 | 2022-06-27 |