Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CWE-538 (文件和路径信息暴露) — Vulnerability Class 68

68 vulnerabilities classified as CWE-538 (文件和路径信息暴露). AI Chinese analysis included.

CWE-538 represents a critical data exposure weakness where applications inadvertently store sensitive information in files or directories accessible to unauthorized actors. This vulnerability typically arises when developers fail to enforce strict access controls on storage locations, allowing individuals with basic file system permissions to read confidential data such as credentials, session tokens, or personal identifiable information. Attackers exploit this by navigating to the exposed directory and extracting the unprotected files, often bypassing application-level security measures entirely. To mitigate this risk, developers must implement robust file permission settings, ensuring that sensitive data is stored in restricted directories accessible only to the application process. Additionally, employing encryption for data at rest and utilizing secure, temporary storage mechanisms can prevent unauthorized access, thereby maintaining the confidentiality and integrity of critical information against external threats.

MITRE CWE Description
The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
Common Consequences (1)
ConfidentialityRead Files or Directories
Mitigations (1)
Architecture and Design, Operation, System ConfigurationDo not expose file and directory information to the user.
Examples (1)
In the following code snippet, a user's full name and credit card number are written to a log file.
logger.info("Username: " + usernme + ", CCN: " + ccn);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2019-6851 多款Schneider产品信息泄露漏洞 — Modicon M580, Modicon M340, Modicon Premium , Modicon Quantum (all firmware versions) 7.5 -2019-10-29
CVE-2019-7618 Elastic Code 路径遍历漏洞 — Elastic Code 5.5 -2019-10-01
CVE-2019-12623 Cisco Enterprise Network Functions Virtualization Infrastructure Software File Enumeration Vulnerability — Cisco Enterprise NFV Infrastructure Software 4.3 -2019-08-21
CVE-2018-4847 Siemens SIMATIC WinCC OA Operator iOS App 安全漏洞 — SIMATIC WinCC OA Operator iOS App 4.6 -2018-04-23
CVE-2017-16770 Synology Surveillance Station 信息泄露漏洞 — Surveillance Station 6.5 -2018-02-27
CVE-2017-9947 Siemens APOGEE PXC BACnet Automation Controller和Siemens TALON TC BACnet Automation Controller 路径遍历漏洞 — APOGEE PXC and TALON TC BACnet Automation Controllers All versions <V3.5 5.3 -2017-10-23
CVE-2014-0771 Advantech WebAccess File and Directory Information Exposure — WebAccess 6.5 -2014-04-12
CVE-2014-0772 Advantech WebAccess File and Directory Information Exposure — WebAccess 6.5 -2014-04-12

Vulnerabilities classified as CWE-538 (文件和路径信息暴露) represent 68 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.