1. Home
  2. CWE Database
  3. CWE-219
Variant · Low-Medium

CWE-219: Storage of File with Sensitive Data Under Web Root

The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.

CWE-219 · Variant Level ·5 CVEs ·2 Mitigations

Description

The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.

Besides public-facing web pages and code, products may store sensitive data, code that is not directly invoked, or other files under the web document root of the web server. If the server is not configured or otherwise used to prevent direct access to those files, then attackers may obtain this sensitive data.

Potential Impact

Confidentiality

Read Application Data

Mitigations & Prevention

ImplementationSystem Configuration

Avoid storing information under the web root directory.

System Configuration

Access control permissions should be set to prevent reading/writing of sensitive files inside/outside of the web directory.

Real-World CVE Examples

CVE IDDescription
CVE-2005-1835Data file under web root.
CVE-2005-2217Data file under web root.
CVE-2002-1449Username/password in data file under web root.
CVE-2002-0943Database file under web root.
CVE-2005-1645database file under web root.

CWE-552: Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

Taxonomy Mappings

  • PLOVER: — Sensitive Data Under Web Root
  • OWASP Top Ten 2004: A10 — Insecure Configuration Management

Frequently Asked Questions

What is CWE-219?

CWE-219 (Storage of File with Sensitive Data Under Web Root) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.

How can CWE-219 be exploited?

Attackers can exploit CWE-219 (Storage of File with Sensitive Data Under Web Root) to read application data. This weakness is typically introduced during the Operation, Implementation phase of software development.

How do I prevent CWE-219?

Key mitigations include: Avoid storing information under the web root directory.

What is the severity of CWE-219?

CWE-219 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 5 real-world CVEs.