VariantDraft

CWE-219Storage of File with Sensitive Data Under Web Root

Category: data-exposure

Description

The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties. Besides public-facing web pages and code, products may store sensitive data, code that is not directly invoked, or other files under the web document root of the web server. If the server is not configured or otherwise used to prevent direct access to those files, then attackers may obtain this sensitive data.

Common consequences· 1

  • Confidentiality — Read Application Data

Potential mitigations· 2

  • [Implementation, System Configuration]Avoid storing information under the web root directory.
  • [System Configuration]Access control permissions should be set to prevent reading/writing of sensitive files inside/outside of the web directory.

References

  1. https://cwe.mitre.org/data/definitions/219.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Storage of File With Sensitive Data Under FTP Root
CWE
Insecure Storage of Sensitive Information
CWE
Insertion of Sensitive Information into Externally-Accessible File or Directory
CWE
Files or Directories Accessible to External Parties
CWE
Storage of Sensitive Data in a Mechanism without Access Control
CWE
Cleartext Storage in a File or on Disk
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.