VariantDraft

CWE-548Exposure of Information Through Directory Listing

Category: data-exposure

Description

The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.

Common consequences· 1

  • Confidentiality — Read Files or Directories
    Exposing the contents of a directory can lead to an attacker gaining access to source code or providing useful information for the attacker to devise exploits, such as creation times of files or any information that may be encoded in file names. The directory listing may also compromise private or confidential data.

Potential mitigations· 1

  • [Architecture and Design, System Configuration]Recommendations include restricting access to important directories or files by adopting a need to know requirement for both the document and server root, and turning off features such as Automatic Directory Listings that could expose private files and provide information that could be utilized by an attacker when formulating or conducting an attack.

References

  1. https://cwe.mitre.org/data/definitions/548.html

Compliance frameworks addressing this (incoming)4

TypeTargetConfidenceTier
ComplianceControliso27701-a.7.4.5100%live
ComplianceControlpci_dss_v4-r12100%live
ComplianceControlcis_v8-3100%live
ComplianceControlowasp_api_top10-api08100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Files or Directories Accessible to External Parties
CWE
Insertion of Sensitive Information into Externally-Accessible File or Directory
CWE
Exposure of Access Control List Files to an Unauthorized Control Sphere
CWE
Exposure of Sensitive Information Through Metadata
CWE
Exposure of Sensitive Information to an Unauthorized Actor
CWE
Exposure of Sensitive System Information to an Unauthorized Control Sphere
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.