CWE · MITRE source
CWE-497Exposure of Sensitive System Information to an Unauthorized Control Sphere
The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
Network-based products, such as web applications, often run on top of an operating system or similar environment. When the product communicates with outside parties, details about the underlying system are expected to remain hidden, such as path names for data files, other OS users, installed packages, the application environment, etc. This system information may be provided by the product itself, or buried within diagnostic or debugging messages. Debugging information helps an adversary learn about the system and form an attack plan. An information exposure occurs when system data or debugging information leaves the program through an output stream or logging function that makes it accessible to unauthorized parties. Using other weaknesses, an attacker could cause errors to occur; the response to these errors can reveal detailed system information, along with other impacts. An attacker can use messages that reveal technologies, operating systems, and product versions to tune the attack against known vulnerabilities in these technologies. A product may use diagnostic methods that provide significant implementation details such as stack traces as part of its error handling mechanism.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 11 mapping(s) from 8 framework(s): CAPEC 2 (partial) · STIG oracle linux 8 2 (partial) · ATT&CK 2 (partial) · STIG rhel 8 1 (mostly) · OWASP-Web 1 (mostly) · STIG ubuntu 22 04 1 (partial) · STIG ubuntu 24 04 1 (partial) · ASVS 5.0 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A01:2025 Broken Access Control.
NIST 800-53 r5 controls that address this weakness (10)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AC-22 | Publicly Accessible Content | AC | Ongoing reviews detect and remove sensitive system information before it reaches publicly accessible systems. |
AC-23 | Data Mining Protection | AC | Employs detection to prevent unauthorized mining of sensitive system information from being exfiltrated to external control spheres. |
SI-11 | Error Handling | SI | Ensures sensitive system information is not disclosed outside the intended control sphere through error output. |
SI-20 | Tainting | SI | The control detects removal of sensitive system information into an unauthorized control sphere. |
CM-12 | Information Location | CM | Documenting where system information is processed and stored prevents exposure to unauthorized control spheres. |
PE-19 | Information Leakage | PE | The control stops sensitive system information from crossing into unauthorized control spheres through EM emanations. |
PM-25 | Minimization of Personally Identifiable Information Used in Testing, Training, and Research | PM | Authorization and minimization requirements keep PII out of test/research control spheres that often lack production-grade protections. |
RA-2 | Security Categorization | RA | Documented categorization of system information reduces the chance that sensitive internals are left exposed to unauthorized spheres. |
SC-30 | Concealment and Misdirection | SC | System information is concealed or replaced with decoys, reducing leakage to unauthorized observers. |
SR-7 | Supply Chain Operations Security | SR | Protecting supply-chain artifacts reduces exposure of sensitive system information outside its intended control sphere. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2021-31955 KEV | 10.0 | 5.5 | 0.8026 | 2021-06-08 |
CVE-2020-25179 | 7.0 | 9.8 | 0.0135 | 2020-12-14 |
CVE-2023-32550 | 7.0 | 9.3 | 0.0045 | 2023-06-06 |
CVE-2024-4008 | 7.0 | 9.6 | 0.0027 | 2024-06-05 |
CVE-2024-36554 | 7.0 | 9.8 | 0.0041 | 2025-02-06 |
CVE-2025-1144 | 7.0 | 9.8 | 0.0047 | 2025-02-11 |
CVE-2025-5893 UPD | 7.0 | 9.8 | 0.0042 | 2025-06-09 |
CVE-2025-6561 UPD | 7.0 | 9.8 | 0.0048 | 2025-06-26 |
CVE-2025-10264 | 7.0 | 10.0 | 0.0045 | 2025-09-12 |
CVE-2025-44823 | 7.0 | 9.9 | 0.1557 | 2025-10-07 |
CVE-2025-47699 | 7.0 | 9.9 | 0.0031 | 2025-10-23 |
CVE-2024-13999 | 7.0 | 9.8 | 0.0179 | 2025-10-30 |
CVE-2026-27494 | 7.0 | 9.9 | 0.0035 | 2026-02-25 |
CVE-2026-7864 UPD | 6.0 | 0.0 | 0.1701 | 2026-05-08 |
CVE-2020-26076 | 5.5 | 7.5 | 0.0132 | 2020-11-18 |
CVE-2021-0260 | 5.5 | 7.3 | 0.0089 | 2021-04-22 |
CVE-2022-28651 | 5.5 | 8.4 | 0.0032 | 2022-04-05 |
CVE-2022-20664 | 5.5 | 7.7 | 0.0096 | 2022-06-15 |
CVE-2022-1902 | 5.5 | 8.8 | 0.0115 | 2022-09-01 |
CVE-2023-4237 | 5.5 | 7.3 | 0.0024 | 2023-10-04 |
CVE-2024-22125 UPD | 5.5 | 7.4 | 0.0052 | 2024-01-09 |
CVE-2024-25634 UPD | 5.5 | 7.2 | 0.0075 | 2024-02-19 |
CVE-2024-31887 | 5.5 | 7.5 | 0.0052 | 2024-04-16 |
CVE-2024-36070 | 5.5 | 7.5 | 0.0058 | 2024-05-19 |
CVE-2024-5735 | 5.5 | 7.5 | 0.0152 | 2024-06-28 |