1. Home
  2. CWE Database
  3. CWE-612
Base · Medium

CWE-612: Improper Authorization of Index Containing Sensitive Information

The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.

CWE-612 · Base Level ·1 CVEs

Description

The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.

Web sites and other document repositories may apply an indexing routine against a group of private documents to facilitate search. If the index's results are available to parties who do not have access to the documents being indexed, then attackers could obtain portions of the documents by conducting targeted searches and reading the results. The risk is especially dangerous if search results include surrounding text that was not part of the search query. This issue can appear in search engines that are not configured (or implemented) to ignore critical files that should remain hidden; even without permissions to download these files directly, the remote user could read them.

Potential Impact

Confidentiality

Read Application Data

Real-World CVE Examples

CVE IDDescription
CVE-2022-41918A search application's access control rules are not properly applied to indices for data streams, allowing for the viewing of sensitive information.

CWE-1230: Exposure of Sensitive Information Through Metadata

The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit ac...

Taxonomy Mappings

  • WASC: 48 — Insecure Indexing

Frequently Asked Questions

What is CWE-612?

CWE-612 (Improper Authorization of Index Containing Sensitive Information) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.

How can CWE-612 be exploited?

Attackers can exploit CWE-612 (Improper Authorization of Index Containing Sensitive Information) to read application data. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-612?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-612?

CWE-612 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.