The product makes files or directories accessible to unauthorized actors, even though they should not be.
View on MITREWeb servers, FTP servers, and similar servers may store a set of files underneath a "root" directory that is accessible to the server's users. Applications may store sensitive files underneath this root without also using access control to limit which users may request those files, if any. Alternately, an application might package multiple files or directories into an archive file (e.g., ZIP or tar), but the application might not exclude sensitive files that are underneath those directories. In cloud technologies and containers, this weakness might present itself in the form of misconfigured storage accounts that can be read or written by a public or anonymous user.
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.
No detection method information available for this CWE.
The following Azure command updates the settings for a storage account:
However, "Allow Blob Public Access" is set to true, meaning that anonymous/public users can access blobs.
The following Azure command updates the settings for a storage account:
However, "Allow Blob Public Access" is set to true, meaning that anonymous/public users can access blobs.
The following Google Cloud Storage command gets the settings for a storage account named 'BUCKET_NAME':
Suppose the command returns the following result:
The following Google Cloud Storage command gets the settings for a storage account named 'BUCKET_NAME':
Suppose the command returns the following result:
No relationship information available for this CWE.
CWE-552: Files or Directories Accessible to External Parties is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product makes files or directories accessible to unauthorized actors, even though they should not be. Web servers, FTP servers, and similar servers may store a set of files underneath a "root" directory that is accessible to the server's users. Applications may store sensitive files underneath this root without also using access control to limit which users may request those files, if any. Alternately, an application might package multiple files or directories into an archive file (e.g., ZIP or tar), but the application might not exclude sensitive files that are underneath those directories. In cloud technologies and containers, this weakness might present itself in the form of misconfigured storage accounts that can be read or written by a public or anonymous user.
If exploited, CWE-552 (Files or Directories Accessible to External Parties) it can compromise Confidentiality and Integrity, leading to outcomes such as Read Files or Directories and Modify Files or Directories.
Recommended mitigations for CWE-552 include: When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.
CWE-552 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-552, including CVE-2005-1835. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-552 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.