Error Message Exposure of Memory Addresses
Description
The software generates an error message that includes sensitive information about its environment, users, or associated data. In particular, exposure of memory addresses might defeat ASLR.
Examples
Insecure Code
c
printf("Error: %p", pointer);Secure Code
c
printf("Error: pointer address not logged for security reasons");Remediation
Use a secure logging mechanism that does not include sensitive information, such as memory addresses, in error messages. Consider using a logging library that provides a secure way to log errors.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0242 |
| Category | ErrorHandling |
| Severity | MEDIUM |
| CWE | CWE-209 |
| Confidence | LOW |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | error handling, logging, memory address exposure |
| OWASP | N/A |
References
- https://github.com/struct/mms
- https://cwe.mitre.org/data/definitions/209
- https://cwe.mitre.org/data/definitions/200
- https://cwe.mitre.org/data/definitions/497