4/27/24, 3:43 PM
`CWE - CWE-200: Information Exposure (3.2)
`The Wayback Machine - https://web.archive.org/web/20190126150012/https://cwe.mitre.org/data/d…
`Common Weakness
`Common Weakness
`Enumeration
`Enumeration
`A Community-Developed List of Software Weakness Types
`A Community-Developed List of Software Weakness Types
`
`Home
`
`
`
`About
`
`
`
`CWE List
`
`
`
`Scoring
`Search
`
`
`
`Community
`
`
`
`News
`
`Weakness ID: 200
`Abstraction: Class
`Structure: Simple
`
`Status: Incomplete
`
`Presentation Filter: High Level
` Description
`An information exposure is the intentional or unintentional disclosure of information to an
`actor that is not explicitly authorized to have access to that information.
` Extended Description
`The information either:
`1. is regarded as sensitive within the product's own functionality, such as a private
`message; or
`2. provides information about the product or its environment that could be useful in an
`attack but is normally not available to the attacker, such as the installation path of a
`product that is remotely accessible.
`Many information exposures are resultant (e.g. PHP script error revealing the full path of the
`program), but they can also be primary (e.g. timing discrepancies in cryptography). There are
`many different types of problems that involve information exposures. Their severity can range
`widely depending on the type of information that is revealed.
` Alternate Terms
`Information Leak:
`
`Information Disclosure:
`
`This is a frequently used term, however the "leak" term has
`multiple uses within security. In some cases it deals with
`exposure of information, but in other cases (such as "memory
`leak") this deals with improper tracking of resources which
`can lead to exhaustion. As a result, CWE is actively avoiding
`usage of the "leak" term.
`This term is frequently used in vulnerability databases and
`other sources, however "disclosure" does not always have
`security implications. The phrase "information disclosure" is
`also used frequently in policies and legal documents, but do
`not refer to disclosure of security-relevant information.
`
` Relationships
`The table(s) below shows the weaknesses and high level categories that are related to this
`weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to
`similar items that may exist at higher and lower levels of abstraction. In addition,
`relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the
`user may want to explore.
` Relevant to the view "Research Concepts" (CWE-1000)
` Relevant to the view "Weaknesses for Simplified Mapping of Published
`Vulnerabilities" (CWE-1003)
` Relevant to the view "Development Concepts" (CWE-699)
` Modes Of Introduction
`
`https://web.archive.org/web/20190126150012/https://cwe.mitre.org/data/definitions/200.html
`
`1/2
`
`WIZ, Inc. EXHIBIT - 1057
`WIZ, Inc. v. Orca Security LTD.
`
`
`CWE - CWE-200: Information Exposure (3.2)
`The Wayback Machine - https://web.archive.org/web/20190126150012/https://cwe.mitre.org/data/d…
`Common Weakness
`Common Weakness
`Enumeration
`Enumeration
`A Community-Developed List of Software Weakness Types
`A Community-Developed List of Software Weakness Types
`
`Home
`
`
`
`About
`
`
`
`CWE List
`
`
`
`Scoring
`Search
`
`
`
`Community
`
`
`
`News
`
`Weakness ID: 200
`Abstraction: Class
`Structure: Simple
`
`Status: Incomplete
`
`Presentation Filter: High Level
` Description
`An information exposure is the intentional or unintentional disclosure of information to an
`actor that is not explicitly authorized to have access to that information.
` Extended Description
`The information either:
`1. is regarded as sensitive within the product's own functionality, such as a private
`message; or
`2. provides information about the product or its environment that could be useful in an
`attack but is normally not available to the attacker, such as the installation path of a
`product that is remotely accessible.
`Many information exposures are resultant (e.g. PHP script error revealing the full path of the
`program), but they can also be primary (e.g. timing discrepancies in cryptography). There are
`many different types of problems that involve information exposures. Their severity can range
`widely depending on the type of information that is revealed.
` Alternate Terms
`Information Leak:
`
`Information Disclosure:
`
`This is a frequently used term, however the "leak" term has
`multiple uses within security. In some cases it deals with
`exposure of information, but in other cases (such as "memory
`leak") this deals with improper tracking of resources which
`can lead to exhaustion. As a result, CWE is actively avoiding
`usage of the "leak" term.
`This term is frequently used in vulnerability databases and
`other sources, however "disclosure" does not always have
`security implications. The phrase "information disclosure" is
`also used frequently in policies and legal documents, but do
`not refer to disclosure of security-relevant information.
`
` Relationships
`The table(s) below shows the weaknesses and high level categories that are related to this
`weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to
`similar items that may exist at higher and lower levels of abstraction. In addition,
`relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the
`user may want to explore.
` Relevant to the view "Research Concepts" (CWE-1000)
` Relevant to the view "Weaknesses for Simplified Mapping of Published
`Vulnerabilities" (CWE-1003)
` Relevant to the view "Development Concepts" (CWE-699)
` Modes Of Introduction
`
`https://web.archive.org/web/20190126150012/https://cwe.mitre.org/data/definitions/200.html
`
`1/2
`
`WIZ, Inc. EXHIBIT - 1057
`WIZ, Inc. v. Orca Security LTD.
`
`
`
`Note
`
`4/27/24, 3:43 PM
`CWE - CWE-200: Information Exposure (3.2)
`The different Modes of Introduction provide information about how and when this weakness
`may be introduced. The Phase identifies a point in the software life cycle at which introduction
`may occur, while the Note provides a typical scenario related to introduction during the given
`phase.
`Phase
`Architecture and Design
`Implementation
` Common Consequences
`The table below specifies different individual consequences associated with the weakness. The
`Scope identifies the application security area that is violated, while the Impact describes the
`negative technical impact that arises if an adversary succeeds in exploiting this weakness. The
`Likelihood provides information about how likely the specific consequence is expected to be
`seen relative to the other consequences in the list. For example, there may be high likelihood
`that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will
`be exploited to achieve a different impact.
`Scope
`Impact
`Confidentiality Technical Impact: Read Application Data
`
`Likelihood
`
` Likelihood Of Exploit
`High
` Memberships
`This MemberOf Relationships table shows additional CWE Categories and Views that reference
`this weakness as a member. This information is often useful in understanding where a
`weakness fits within the context of external information sources.
`
`Nature
`MemberOf
`MemberOf
`
`MemberOf
`
`Name
`Type ID
`635 Weaknesses Originally Used by NVD from 2008 to 2016
`717
`OWASP Top Ten 2007 Category A6 - Information Leakage and
`Improper Error Handling
`SFP Secondary Cluster: Exposed Data
`
`963
`
`More information is available — Please select a different filter.
`
`
`
`Use of the Common Weakness Enumeration and the associated references from this website are subject to the Terms of Use. For more
`information, please email cwe@mitre.org.
`CWE is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright ©
`2006-2019, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.
`
`Privacy Policy
`Terms of Use
`Site Map
`Contact Us
`
`https://web.archive.org/web/20190126150012/https://cwe.mitre.org/data/definitions/200.html
`
`2/2
`
`
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
