CWE-1266 - Improper Scrubbing of Sensitive Data from Decommissioned Device
CWE-1266
- Abstraction:
- Base
- Structure:
- Simple
- Status:
- Incomplete
- Weakness Name
Improper Scrubbing of Sensitive Data from Decommissioned Device
- Description
The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect.
When a product is decommissioned - i.e., taken out of service - best practices or regulatory requirements may require the administrator to remove or overwrite sensitive data first, i.e. "scrubbing." Improper scrubbing of sensitive data from a decommissioned device leaves that data vulnerable to acquisition by a malicious actor. Sensitive data may include, but is not limited to, device/manufacturer proprietary information, user/device credentials, network configurations, and other forms of sensitive data.
- Common Consequences
Scope: Confidentiality
Impact: Read Memory
- Related Weaknesses
- Release Date:
- 2020-02-24
- Latest Modification Date:
- 2023-06-29
Free security scan for your website