CWE-552 Détail

CWE-552

Nom

Files or Directories Accessible to External Parties

Statut

Draft

Publié

2006-07-19
00h00 +00:00

Modifié

2023-10-26
00h00 +00:00

Liens officiels

CWE Mitre.org

Notifications pour un CWE

Restez informé de toutes modifications pour un CWE spécifique.

Gestion des notifications

Liste des Notifications

Notifications pour un CWE

Restez informé de toutes modifications pour un CWE spécifique.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez le CWE ID que vous désirez surveiller.

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Nom: Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

Description du CWE

Web servers, FTP servers, and similar servers may store a set of files underneath a "root" directory that is accessible to the server's users. Applications may store sensitive files underneath this root without also using access control to limit which users may request those files, if any. Alternately, an application might package multiple files or directories into an archive file (e.g., ZIP or tar), but the application might not exclude sensitive files that are underneath those directories.

In cloud technologies and containers, this weakness might present itself in the form of misconfigured storage accounts that can be read or written by a public or anonymous user.

Informations générales

Modes d'introduction

Architecture and Design
Implementation : OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Operation : OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.

Plateformes applicables

Langue

Class: Not Language-Specific (Undetermined)

Technologies

Class: Not Technology-Specific (Undetermined)
Class: Cloud Computing (Often)

Conséquences courantes

Portée	Impact	Probabilité
Confidentiality Integrity	Read Files or Directories, Modify Files or Directories

Exemples observés

Références	Description
CVE-2005-1835	Data file under web root.

Mesures d’atténuation potentielles

Phases : Implementation // System Configuration // Operation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.

Méthodes de détection

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Efficacité : High

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Modèles d'attaque associés

CAPEC-ID	Nom du modèle d'attaque
CAPEC-150	Collect Data from Common Resource Locations An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.
CAPEC-639	Probe System Files An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.

Références

REF-1307

CIS Microsoft Azure Foundations Benchmark version 1.5.0
Center for Internet Security.
https://www.cisecurity.org/benchmark/azure

REF-1327

CIS Google Cloud Computing Platform Benchmark version 1.3.0
Center for Internet Security.
https://www.cisecurity.org/benchmark/google_cloud_computing_platform

Soumission

Nom	Organisation	Date	Date de publication	Version
CWE Community		2006-07-19 +00:00	2006-07-19 +00:00	Draft 3

Modifications

Nom	Organisation	Date	Commentaire
Eric Dalci	Cigital	2008-07-01 +00:00	updated Time_of_Introduction
	Veracode	2008-08-15 +00:00	Suggested OWASP Top Ten 2004 mapping
CWE Content Team	MITRE	2008-09-08 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2008-11-24 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2009-07-27 +00:00	updated Relationships
	Veracode	2010-09-09 +00:00	Suggested OWASP Top Ten mapping
CWE Content Team	MITRE	2010-09-27 +00:00	updated Relationships
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2011-09-13 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2012-05-11 +00:00	updated Relationships
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships
CWE Content Team	MITRE	2015-12-07 +00:00	updated Relationships
CWE Content Team	MITRE	2017-01-19 +00:00	updated Relationships
CWE Content Team	MITRE	2017-11-08 +00:00	updated Affected_Resources, Modes_of_Introduction, Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2019-01-03 +00:00	updated Related_Attack_Patterns
CWE Content Team	MITRE	2019-06-20 +00:00	updated Related_Attack_Patterns
CWE Content Team	MITRE	2020-02-24 +00:00	updated Description, Relationships
CWE Content Team	MITRE	2020-08-20 +00:00	updated Related_Attack_Patterns
CWE Content Team	MITRE	2021-10-28 +00:00	updated Relationships
CWE Content Team	MITRE	2023-01-31 +00:00	updated Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, References
CWE Content Team	MITRE	2023-04-27 +00:00	updated Applicable_Platforms, Demonstrative_Examples, Description, Detection_Factors, References, Relationships, Time_of_Introduction
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes
CWE Content Team	MITRE	2023-10-26 +00:00	updated Observed_Examples

Détail du CWE-552