CWE 상세 조회
CWE 취약점 상세 내용을 조회합니다.
필요 권한
사용자 이상의 계정으로 이용할 수 있습니다.
HTTP 요청
GET /api/sonar/cwes/:id
cURL 예시
curl -H "Authorization: Bearer <API_KEY>" \
https://HOSTNAME/api/sonar/cwes/7
요청 매개변수
| 키 | 필수 | 타입 | 설명 | 비고 |
|---|---|---|---|---|
| id | O | 문자열 | CWE 식별자 | CWE-일련번호 |
정상 응답
{
"cwe": {
"id": "CWE-7",
"name": "J2EE Misconfiguration: Missing Custom Error Page",
"status": "Incomplete",
"type": "Weakness",
"mapping_notes": {
"usage": "Allowed",
"reasons": "Acceptable-Use",
"rationale": "This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.",
"comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction."
},
"abstraction": null,
"structure": null,
"description": "The default error page of a web application should not display sensitive information about the product.",
"extended_description": "\n <xhtml:p>A Web application must define a default error page for 4xx errors (e.g. 404), 5xx (e.g. 500) errors and catch java.lang.Throwable exceptions to prevent attackers from mining information from the application container's built-in error response.</xhtml:p>\n\n <xhtml:p>When an attacker explores a web site looking for vulnerabilities, the amount of information that the site provides is crucial to the eventual success or failure of any attempted attacks.</xhtml:p>\n\n ",
"likelihood_of_exploit": null,
"related_weakness": [
{
"related_id": "CWE-756",
"related_name": "Missing Custom Error Page",
"nature": "ChildOf",
"ordinal": "Primary",
"view_id": "CWE-1000",
"view_name": "Research Concepts"
}
],
"datas": {
"references": {
"reference": [
{
"external_reference_id": "REF-6"
},
{
"external_reference_id": "REF-65"
}
]
},
"content_history": {
"previous_entry_name": [
{
"date": "2009-03-10",
"_text": "J2EE Misconfiguration: Missing Error Handling"
}
],
"submission": {
"submission_date": "2006-07-19",
"submission_releasedate": "2006-07-19",
"submission_version": "Draft 3",
"submission_name": "7 Pernicious Kingdoms"
},
"modification": [
{
"modification_organization": "Cigital",
"modification_name": "Sean Eidemiller",
"modification_comment": "added/updated demonstrative examples",
"modification_date": "2008-07-01"
},
{
"modification_organization": "Cigital",
"modification_name": "Eric Dalci",
"modification_comment": "updated Time_of_Introduction",
"modification_date": "2008-07-01"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Relationships, Other_Notes, Taxonomy_Mappings",
"modification_date": "2008-09-08"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Description",
"modification_date": "2008-10-14"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Name, Relationships",
"modification_date": "2009-03-10"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Common_Consequences",
"modification_date": "2011-06-01"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Demonstrative_Examples, Relationships",
"modification_date": "2012-05-11"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Potential_Mitigations",
"modification_date": "2012-10-30"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Common_Consequences, Description, Other_Notes, Potential_Mitigations",
"modification_date": "2014-06-23"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Relationships",
"modification_date": "2014-07-30"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated References",
"modification_date": "2017-11-08"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated References, Relationships",
"modification_date": "2020-02-24"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Description",
"modification_date": "2023-01-31"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Relationships, Time_of_Introduction",
"modification_date": "2023-04-27"
},
{
"modification_organization": "MITRE",
"modification_name": "CWE Content Team",
"modification_comment": "updated Mapping_Notes",
"modification_date": "2023-06-29"
}
]
},
"applicable_platforms": {
"language": [
{
"prevalence": "Undetermined",
"name": "Java"
}
]
},
"potential_mitigations": {
"mitigation": [
{
"phase": [
"Implementation"
],
"description": "Handle exceptions appropriately in source code."
},
{
"phase": [
"Implementation",
"System Configuration"
],
"description": "Always define appropriate error pages. The application configuration should specify a default error page in order to guarantee that the application will never leak error messages to an attacker. Handling standard HTTP error codes is useful and user-friendly in addition to being a good security practice, and a good configuration will also define a last-chance error handler that catches any exception that could possibly be thrown by the application."
},
{
"phase": [
"Implementation"
],
"description": "Do not attempt to process an error or attempt to mask it."
},
{
"phase": [
"Implementation"
],
"description": "Verify return values are correct and do not supply sensitive information about the system."
}
]
},
"common_consequences": {
"consequence": [
{
"note": "A stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.",
"scope": [
"Confidentiality"
],
"impact": [
"Read Application Data"
]
}
]
},
"taxonomy_mappings": {
"taxonomy_mapping": [
{
"entry_name": "J2EE Misconfiguration: Missing Error Handling",
"taxonomy_name": "7 Pernicious Kingdoms"
}
]
},
"demonstrative_examples": {
"demonstrative_example": [
{
"demonstrative_example_id": "DX-76",
"_text": "\n <Intro_Text>In the snippet below, an unchecked runtime exception thrown from within the try block may cause the container to display its default error page (which may contain a full stack trace, among other things).</Intro_Text>\n\n <Example_Code Language=\"Java\" Nature=\"Bad\">\n \n <xhtml:div>\n Public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n <xhtml:div style=\"margin-left:1em;\">\n try {\n <xhtml:div style=\"margin-left:1em;\">...</xhtml:div>\n } catch (ApplicationSpecificException ase) {\n <xhtml:div style=\"margin-left:1em;\">logger.error(\"Caught: \" + ase.toString());</xhtml:div>\n }\n </xhtml:div>\n }\n </xhtml:div>\n \n</Example_Code>\n\n "
}
]
},
"modes_of_introduction": {
"introduction": [
{
"phase": "Implementation"
}
]
}
},
"created": "2006-07-19",
"updated": "2023-06-29"
}
}
오류 응답
id가 존재하지 않는 경우
HTTP 상태 코드 400 응답
{
"error_code": "invalid-argument",
"error_msg": "cwe 'CWE-9999' not found"
}