Cyber Resilience

CWE · MITRE source

CWE-497Exposure of Sensitive System Information to an Unauthorized Control Sphere

Abstraction: Base · CVEs in our corpus: 342

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

Network-based products, such as web applications, often run on top of an operating system or similar environment. When the product communicates with outside parties, details about the underlying system are expected to remain hidden, such as path names for data files, other OS users, installed packages, the application environment, etc. This system information may be provided by the product itself, or buried within diagnostic or debugging messages. Debugging information helps an adversary learn about the system and form an attack plan. An information exposure occurs when system data or debugging information leaves the program through an output stream or logging function that makes it accessible to unauthorized parties. Using other weaknesses, an attacker could cause errors to occur; the response to these errors can reveal detailed system information, along with other impacts. An attacker can use messages that reveal technologies, operating systems, and product versions to tune the attack against known vulnerabilities in these technologies. A product may use diagnostic methods that provide significant implementation details such as stack traces as part of its error handling mechanism.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 11 mapping(s) from 8 framework(s): CAPEC 2 (partial) · STIG oracle linux 8 2 (partial) · ATT&CK 2 (partial) · STIG rhel 8 1 (mostly) · OWASP-Web 1 (mostly) · STIG ubuntu 22 04 1 (partial) · STIG ubuntu 24 04 1 (partial) · ASVS 5.0 1 (partial)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A01:2025 Broken Access Control.

NIST 800-53 r5 controls that address this weakness (10)AI

Control Title Family Why it addresses this CWE
AC-22Publicly Accessible ContentACOngoing reviews detect and remove sensitive system information before it reaches publicly accessible systems.
AC-23Data Mining ProtectionACEmploys detection to prevent unauthorized mining of sensitive system information from being exfiltrated to external control spheres.
SI-11Error HandlingSIEnsures sensitive system information is not disclosed outside the intended control sphere through error output.
SI-20TaintingSIThe control detects removal of sensitive system information into an unauthorized control sphere.
CM-12Information LocationCMDocumenting where system information is processed and stored prevents exposure to unauthorized control spheres.
PE-19Information LeakagePEThe control stops sensitive system information from crossing into unauthorized control spheres through EM emanations.
PM-25Minimization of Personally Identifiable Information Used in Testing, Training, and ResearchPMAuthorization and minimization requirements keep PII out of test/research control spheres that often lack production-grade protections.
RA-2Security CategorizationRADocumented categorization of system information reduces the chance that sensitive internals are left exposed to unauthorized spheres.
SC-30Concealment and MisdirectionSCSystem information is concealed or replaced with decoys, reducing leakage to unauthorized observers.
SR-7Supply Chain Operations SecuritySRProtecting supply-chain artifacts reduces exposure of sensitive system information outside its intended control sphere.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2021-31955 KEV10.05.50.80262021-06-08
CVE-2020-251797.09.80.01352020-12-14
CVE-2023-325507.09.30.00452023-06-06
CVE-2024-40087.09.60.00272024-06-05
CVE-2024-365547.09.80.00412025-02-06
CVE-2025-11447.09.80.00472025-02-11
CVE-2025-5893 UPD7.09.80.00422025-06-09
CVE-2025-6561 UPD7.09.80.00482025-06-26
CVE-2025-102647.010.00.00452025-09-12
CVE-2025-448237.09.90.15572025-10-07
CVE-2025-476997.09.90.00312025-10-23
CVE-2024-139997.09.80.01792025-10-30
CVE-2026-274947.09.90.00352026-02-25
CVE-2026-7864 UPD6.00.00.17012026-05-08
CVE-2020-260765.57.50.01322020-11-18
CVE-2021-02605.57.30.00892021-04-22
CVE-2022-286515.58.40.00322022-04-05
CVE-2022-206645.57.70.00962022-06-15
CVE-2022-19025.58.80.01152022-09-01
CVE-2023-42375.57.30.00242023-10-04
CVE-2024-22125 UPD5.57.40.00522024-01-09
CVE-2024-25634 UPD5.57.20.00752024-02-19
CVE-2024-318875.57.50.00522024-04-16
CVE-2024-360705.57.50.00582024-05-19
CVE-2024-57355.57.50.01522024-06-28