Description
The product makes files or directories accessible to unauthorized actors, even though they should not be.
Web servers, FTP servers, and similar servers may store a set of files underneath a "root" directory that is accessible to the server's users. Applications may store sensitive files underneath this root without also using access control to limit which users may request those files, if any. Alternately, an application might package multiple files or directories into an archive file (e.g., ZIP or tar), but the application might not exclude sensitive files that are underneath those directories. In cloud technologies and containers, this weakness might present itself in the form of misconfigured storage accounts that can be read or written by a public or anonymous user.
Potential Impact
Confidentiality, Integrity
Read Files or Directories, Modify Files or Directories
Demonstrative Examples
az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access trueaz storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access falsegsutil iam get gs://BUCKET_NAME{
"bindings":[{
"members":[
"projectEditor: PROJECT-ID",
"projectOwner: PROJECT-ID"
],
"role":"roles/storage.legacyBucketOwner"
},
{
"members":[
"allUsers",
"projectViewer: PROJECT-ID"
],
"role":"roles/storage.legacyBucketReader"
}
]
}gsutil iam ch -d allUsers gs://BUCKET_NAME
gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAMEMitigations & Prevention
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2005-1835 | Data file under web root. |
Related Weaknesses
Taxonomy Mappings
- OWASP Top Ten 2004: A10 — Insecure Configuration Management
- CERT C Secure Coding: FIO15-C — Ensure that file operations are performed in a secure directory
Frequently Asked Questions
What is CWE-552?
CWE-552 (Files or Directories Accessible to External Parties) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product makes files or directories accessible to unauthorized actors, even though they should not be.
How can CWE-552 be exploited?
Attackers can exploit CWE-552 (Files or Directories Accessible to External Parties) to read files or directories, modify files or directories. This weakness is typically introduced during the Architecture and Design, Implementation, Operation phase of software development.
How do I prevent CWE-552?
Key mitigations include: When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.
What is the severity of CWE-552?
CWE-552 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.