CWE-529 (将访问控制列表文件暴露给非授权控制范围) — Vulnerability Class 1

CWE-529 represents a critical access control weakness where sensitive configuration files, specifically those defining access control lists, are stored in directories accessible to unauthorized actors. This exposure allows attackers to harvest detailed insights into system architecture and security policies, potentially revealing trusted internal systems or bypassing intended restrictions. Exploitation typically involves an adversary scanning accessible directories to locate these unprotected files, thereby gaining the intelligence necessary to craft targeted attacks or elevate privileges. To mitigate this risk, developers must enforce strict file system permissions, ensuring that access control list files are readable only by authorized processes and users. Additionally, implementing robust directory traversal protections and regularly auditing file storage locations helps prevent accidental exposure, thereby maintaining the integrity of the security boundary and protecting the system from information disclosure vulnerabilities.