Generation of Error Message Containing Sensitive Information ('Information Leakage') [VID:130] #100
Labels
Veracode Policy Scan
A Veracode Flaw found during a Policy or Sandbox Scan
VeracodeFlaw: Low
A Veracode Flaw, Low severity
Comments
github-actions
bot
added
Veracode Policy Scan
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Filename: blab.jsp
Line: 69
CWE: 209 (Generation of Error Message Containing Sensitive Information ('Information Leakage'))
The application calls the javax.servlet.jsp.JspWriter.print() function, which may expose information about the application logic or other details such as the names and versions of the application container and associated components. This information can be useful in executing other attacks and can also enable the attacker to target known vulnerabilities in application components. The first argument to print() contains data from an error message (possibly containing untrusted data) from the variable error. The data from an error message (possibly containing untrusted data) originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.lang.Throwable.getMessage, and java.lang.Throwable.printStackTrace. The data from an error message (possibly containing untrusted data) is directed into an output stream returned by javax.servlet.jsp.JspWriter. Ensure that error codes or other messages returned to end users are not overly verbose. Sanitize all messages of any sensitive information that is not absolutely necessary. References: CWE
The text was updated successfully, but these errors were encountered: