logo

CWE-1266 - Improper Scrubbing of Sensitive Data from Decommissioned Device

CWE-1266

  • Abstraction:
  • Base
  • Structure:
  • Simple
  • Status:
  • Incomplete
Weakness Name

Improper Scrubbing of Sensitive Data from Decommissioned Device

Description

The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect.

When a product is decommissioned - i.e., taken out of service - best practices or regulatory requirements may require the administrator to remove or overwrite sensitive data first, i.e. "scrubbing." Improper scrubbing of sensitive data from a decommissioned device leaves that data vulnerable to acquisition by a malicious actor. Sensitive data may include, but is not limited to, device/manufacturer proprietary information, user/device credentials, network configurations, and other forms of sensitive data.

Common Consequences

Scope: Confidentiality

Impact: Read Memory

Related Weaknesses
  • Release Date:
  • 2020-02-24
  • Latest Modification Date:
  • 2023-06-29

Free security scan for your website