CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-538: File and Directory Information Exposure

 
File and Directory Information Exposure
Weakness ID: 538 (Weakness Base)Status: Draft
+ Description

Description Summary

The product stores sensitive information in files or directories that are accessible to actors outside of the intended control sphere.
+ Time of Introduction
  • Implementation
  • Operation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect

Technical Impact: Read files or directories

+ Potential Mitigations

Phases: Architecture and Design; Operation; System Configuration

Do not expose file and directory information to the user.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class200Information Exposure
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory815OWASP Top Ten 2010 Category A6 - Security Misconfiguration
Weaknesses in OWASP Top Ten (2010) (primary)809
ChildOfCategoryCategory895SFP Cluster: Information Leak
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant527Exposure of CVS Repository to an Unauthorized Control Sphere
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant528Exposure of Core Dump File to an Unauthorized Control Sphere
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant529Exposure of Access Control List Files to an Unauthorized Control Sphere
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant530Exposure of Backup File to an Unauthorized Control Sphere
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant532Information Exposure Through Log Files
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant539Information Exposure Through Persistent Cookies
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant540Information Exposure Through Source Code
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant548Information Exposure Through Directory Listing
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant651Information Exposure Through WSDL File
Development Concepts (primary)699
Research Concepts (primary)1000
+ References
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 12: Information Leakage." Page 191. McGraw-Hill. 2010.
+ Maintenance Notes

Depending on usage, this could be a weakness or a category. Further study of all its children is needed, and the entire sub-tree may need to be clarified. The current organization is based primarily on the exposure of sensitive information as a consequence, instead of as a primary weakness.

There is a close relationship with CWE-552, which is more focused on weaknesses. As a result, it may be more appropriate to convert CWE-538 to a category.

+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-09-08MITREInternal
updated Relationships, Type
2009-12-28MITREInternal
updated Description, Maintenance_Notes, Name
2010-09-09VeracodeExternal
Suggested OWASP Top Ten mapping
2010-09-27MITREInternal
updated Relationships
2011-06-01MITREInternal
updated Common_Consequences
2012-05-11MITREInternal
updated References, Related_Attack_Patterns, Relationships
2012-10-30MITREInternal
updated Potential_Mitigations
2013-02-21MITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2009-12-28File and Directory Information Leaks
Page Last Updated: June 23, 2014