1. Home
  2. CWE Database
  3. CWE-548
Variant · Low-Medium

CWE-548: Exposure of Information Through Directory Listing

The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.

CWE-548 · Variant Level ·1 CVEs ·1 Mitigations

Description

The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.

Potential Impact

Confidentiality

Read Files or Directories

Mitigations & Prevention

Architecture and DesignSystem Configuration

Recommendations include restricting access to important directories or files by adopting a need to know requirement for both the document and server root, and turning off features such as Automatic Directory Listings that could expose private files and provide information that could be utilized by an attacker when formulating or conducting an attack.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2023-37599web interface is configured to allow directory listing of a module path

CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who ...

Taxonomy Mappings

  • OWASP Top Ten 2004: A10 — Insecure Configuration Management
  • WASC: 16 — Directory Indexing

Frequently Asked Questions

What is CWE-548?

CWE-548 (Exposure of Information Through Directory Listing) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.

How can CWE-548 be exploited?

Attackers can exploit CWE-548 (Exposure of Information Through Directory Listing) to read files or directories. This weakness is typically introduced during the Implementation, Operation phase of software development.

How do I prevent CWE-548?

Key mitigations include: Recommendations include restricting access to important directories or files by adopting a need to know requirement for both the document and server root, and turning off features such as Automatic Di

What is the severity of CWE-548?

CWE-548 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 1 real-world CVEs.