Description
The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
Potential Impact
Confidentiality
Read Files or Directories
Demonstrative Examples
logger.info("Username: " + usernme + ", CCN: " + ccn);Mitigations & Prevention
Do not expose file and directory information to the user.
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2018-1999036 | SSH password for private key stored in build log |
Related Weaknesses
Frequently Asked Questions
What is CWE-538?
CWE-538 (Insertion of Sensitive Information into Externally-Accessible File or Directory) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
How can CWE-538 be exploited?
Attackers can exploit CWE-538 (Insertion of Sensitive Information into Externally-Accessible File or Directory) to read files or directories. This weakness is typically introduced during the Implementation, Operation phase of software development.
How do I prevent CWE-538?
Key mitigations include: Do not expose file and directory information to the user.
What is the severity of CWE-538?
CWE-538 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.