CWE-651: Exposure of WSDL File Containing Sensitive Information

VariantIncomplete

The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return).

View on MITRE
Back to CWE Lookup

Extended Description

An information exposure may occur if any of the following apply: The WSDL file is accessible to a wider audience than intended. The WSDL file contains information on the methods/services that should not be publicly accessible or information about deprecated methods. This problem is made more likely due to the WSDL often being automatically generated from the code. Information in the WSDL file helps guess names/locations of methods/resources that should not be publicly accessible.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-651: Exposure of WSDL File Containing Sensitive Information?+

CWE-651: Exposure of WSDL File Containing Sensitive Information is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return). An information exposure may occur if any of the following apply: The WSDL file is accessible to a wider audience than intended. The WSDL file contains information on the methods/services that should not be publicly accessible or information about deprecated methods. This problem is made more likely due to the WSDL often being automatically generated from the code. Information in the WSDL file helps guess names/locations of methods/resources that should not be publicly accessible.

What are the security consequences of Exposure of WSDL File Containing Sensitive Information?+

If exploited, CWE-651 (Exposure of WSDL File Containing Sensitive Information) it can compromise Confidentiality, leading to outcomes such as Read Application Data.

How do you prevent or mitigate Exposure of WSDL File Containing Sensitive Information?+

Recommended mitigations for CWE-651 include: Limit access to the WSDL file as much as possible. If services are provided only to a limited number of entities, it may be better to provide WSDL privately to each of these entities than to publish WSDL publicly. Do not use method names in WSDL that might help an adversary guess names of private methods/resources used by the service.

Which programming languages are affected by Exposure of WSDL File Containing Sensitive Information?+

CWE-651 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-651 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More

CWE-651: Exposure of WSDL File Containing Sensitive Information | CWE Lookup | InventiveHQ