Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-527 (将CVS仓库暴露给非授权控制范围) — Vulnerability Class 2

2 vulnerabilities classified as CWE-527 (将CVS仓库暴露给非授权控制范围). AI Chinese analysis included.

CWE-527 represents a critical information disclosure weakness where version control repositories, such as Git or CVS, are inadvertently exposed to unauthorized actors. This vulnerability typically arises when developers deploy application code without excluding hidden metadata directories like .git or .svn, leaving them accessible via web servers or included in public archives. Attackers exploit this by directly accessing these exposed directories to retrieve sensitive source code, configuration files, and commit history, which often contain hardcoded credentials, API keys, and internal architectural details. To prevent this, developers must rigorously configure their deployment pipelines to exclude version control artifacts. Utilizing .gitignore files, implementing server-side rules to deny access to hidden directories, and conducting regular security audits ensure that sensitive repository data remains isolated from the public internet, thereby protecting intellectual property and preventing credential leakage.

MITRE CWE Description
The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors. Version control repositories such as CVS or git store version-specific metadata and other details within subdirectories. If these subdirectories are stored on a web server or added to an archive, then these could be used by an attacker. This information may include usernames, filenames, path root, IP addresses, and detailed "diff" data about how files have been changed - which could reveal source code snippets that were never intended to be made public.
Common Consequences (1)
ConfidentialityRead Application Data, Read Files or Directories
Mitigations (1)
Operation, Distribution, System ConfigurationRecommendations include removing any CVS directories and repositories from the production server, disabling the use of remote CVS repositories, and ensuring that the latest CVS patches and version updates have been performed.
CVE IDTitleCVSSSeverityPublished
CVE-2022-20931 Cisco Touch 10 Device Downgrade Attack Vulnerability — Cisco TelePresence Endpoint Software (TC/CE) 6.5 Medium2024-11-15
CVE-2021-21423 Exposure of Version-Control Repository to an Unauthorized Control Sphere in projen — projen 6.8 Medium2021-04-06

Vulnerabilities classified as CWE-527 (将CVS仓库暴露给非授权控制范围) represent 2 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.