Information Exposure Through an Error Message
ID |
scala.unsafe.scala_unsafe_rule_informationexposure |
Severity |
low |
Resource |
Unsafe |
Language |
Scala |
Description
The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more deadly attacks. If an attack fails, an attacker may use error information provided by the server to launch another more focused attack. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application.
Rationale
The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more deadly attacks. If an attack fails, an attacker may use error information provided by the server to launch another more focused attack. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application.
The following code illustrates a vulnerable pattern detected by this rule:
def vulnerableErrorMessage1(uri: Nothing): Unit = {
try {
val conn = DriverManager.getConnection(uri)
}
catch
{
case sqlException: Exception =>
// VULNERABLE: Information Exposure Through an Error Message
sqlException.printStackTrace(out) // Normal Priority
}
}Remediation
Follow secure coding practices and review the references below for detailed remediation guidance.
References
-
OWASP Top 10 2021 - A01 : Broken Access Control.