CWE-552

Files or Directories Accessible to External Parties
AI Translation Available

The product makes files or directories accessible to unauthorized actors, even though they should not be.

Status
draft
Abstraction
base
Not Technology-Specific Cloud Computing

Web servers, FTP servers, and similar servers may store a set of files underneath a 'root' directory that is accessible to the server's users. Applications may store sensitive files underneath this root without also using access control to limit which users may request those files, if any. Alternately, an application might package multiple files or directories into an archive file (e.g., ZIP or tar), but the application might not exclude sensitive files that are underneath those directories.

In cloud technologies and containers, this weakness might present itself in the form of misconfigured storage accounts that can be read or written by a public or anonymous user.

Common Consequences

confidentiality integrity
Impacts
read files or directories modify files or directories

Detection Methods

automated static analysis

Potential Mitigations

Phases:
implementation system configuration operation
Descriptions:
• When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.