CWE-552: Files or Directories Accessible to External Parties

BaseDraft

The product makes files or directories accessible to unauthorized actors, even though they should not be.

View on MITRE
Back to CWE Lookup

Extended Description

Web servers, FTP servers, and similar servers may store a set of files underneath a "root" directory that is accessible to the server's users. Applications may store sensitive files underneath this root without also using access control to limit which users may request those files, if any. Alternately, an application might package multiple files or directories into an archive file (e.g., ZIP or tar), but the application might not exclude sensitive files that are underneath those directories. In cloud technologies and containers, this weakness might present itself in the form of misconfigured storage accounts that can be read or written by a public or anonymous user.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-552: Files or Directories Accessible to External Parties?+

CWE-552: Files or Directories Accessible to External Parties is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product makes files or directories accessible to unauthorized actors, even though they should not be. Web servers, FTP servers, and similar servers may store a set of files underneath a "root" directory that is accessible to the server's users. Applications may store sensitive files underneath this root without also using access control to limit which users may request those files, if any. Alternately, an application might package multiple files or directories into an archive file (e.g., ZIP or tar), but the application might not exclude sensitive files that are underneath those directories. In cloud technologies and containers, this weakness might present itself in the form of misconfigured storage accounts that can be read or written by a public or anonymous user.

What are the security consequences of Files or Directories Accessible to External Parties?+

If exploited, CWE-552 (Files or Directories Accessible to External Parties) it can compromise Confidentiality and Integrity, leading to outcomes such as Read Files or Directories and Modify Files or Directories.

How do you prevent or mitigate Files or Directories Accessible to External Parties?+

Recommended mitigations for CWE-552 include: When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.

Which programming languages are affected by Files or Directories Accessible to External Parties?+

CWE-552 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Files or Directories Accessible to External Parties?+

MITRE documents real CVEs mapped to CWE-552, including CVE-2005-1835. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-552 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More