Information Disclosure
Information disclosure is any flaw that reveals data the attacker should not see — error messages, debug pages, stack traces, internal IPs, or secrets.
Definition
Information disclosure is the umbrella class for vulnerabilities whose primary impact is unintended leakage of information. The leaked content ranges from harmless-looking debug pages (full of stack traces, framework versions, library paths) to high-impact secrets (private keys exposed via a misconfigured `.git` directory, API keys in JSON Web Tokens that were logged at error level).
Information disclosure usually amplifies other attacks rather than being the final stage. A leaked framework version narrows the choice of CVEs to weaponise. A leaked stack trace exposes filesystem paths useful for path traversal. A leaked memory dump (Heartbleed) directly reveals session tokens and private keys.
How it works
Class-specific. Error pages emitting stack traces are the cheapest disclosure. Memory-disclosure bugs (Heartbleed, CVE-2014-0160) leak whatever happens to be near the over-read pointer. Server-status / actuator / debug endpoints — when reachable from the internet — serve everything from JVM thread dumps to in-process environment variables.
Impact
Variable. The disclosed material is the bound: a stack trace is irritating; a private key is catastrophic.
Mitigation
Disable stack traces in production. Audit `/.git`, `/.env`, `/actuator`, `/debug`, `/server-status` from the public surface. Restrict debug endpoints to internal networks. Treat any field that touches a secret as security-critical for logging.
Examples
- CVE-2014-0160 — Heartbleed; OpenSSL memory disclosure.