Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-612 (通过私有数据的索引导致的信息暴露) — Vulnerability Class 9

9 vulnerabilities classified as CWE-612 (通过私有数据的索引导致的信息暴露). AI Chinese analysis included.

CWE-612 represents a critical access control weakness where systems create searchable indexes of sensitive documents but fail to enforce authorization checks on the index itself. Attackers typically exploit this by querying the public-facing search index to retrieve metadata, file paths, or snippets from restricted documents, effectively bypassing the underlying security controls that protect the original files. This vulnerability arises because the index often operates independently of the document’s permission settings, allowing unauthorized users to discover and access private information through search results. To prevent this, developers must ensure that authorization mechanisms are consistently applied to both the source documents and their corresponding indexes. Implementing robust access control lists for index entries and validating user permissions before returning search results are essential steps to mitigate this risk and maintain data confidentiality.

MITRE CWE Description
The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information. Web sites and other document repositories may apply an indexing routine against a group of private documents to facilitate search. If the index's results are available to parties who do not have access to the documents being indexed, then attackers could obtain portions of the documents by conducting targeted searches and reading the results. The risk is especially dangerous if search results include surrounding text that was not part of the search query. This issue can appear in search engines that are not configured (or implemented) to ignore critical files that should remain hidden; even without permissions to download these files directly, the remote user could read them.
Common Consequences (1)
ConfidentialityRead Application Data
CVE IDTitleCVSSSeverityPublished
CVE-2019-25605 EquityPandit 1.0 Insecure Logging Information Disclosure — EquityPandit 7.5 High2026-03-22
CVE-2025-3660 Petlibro Smart Pet Feeder Platform through 1.7.31 Broken Access Control via API endpoint — Smart Pet Feeder Platform 6.5 Medium2026-01-03
CVE-2025-3654 Petlibro Smart Pet Feeder Platform through 1.7.31 Information Disclosure via API endpoint — Smart Pet Feeder Platform 5.3 Medium2026-01-03
CVE-2025-3653 Petlibro Smart Pet Feeder through 1.7.31 Platform Improper Access Control via API endpoint — Smart Pet Feeder Platform 7.3 High2026-01-03
CVE-2024-49071 Windows Defender Information Disclosure Vulnerability — Microsoft Defender for Endpoint for Windows 6.5 Medium2024-12-12
CVE-2024-25635 IDOR Vulnerability: Allowing Organization Owner to view the other Organizations API KEY and USERS — alf.io 8.8 High2024-02-19
CVE-2023-4560 Improper Authorization of Index Containing Sensitive Information in omeka/omeka-s — omeka/omeka-s 4.3 -2023-08-28
CVE-2022-35980 OpenSearch vulnerable to Improper Authorization of Index Containing Sensitive Information — security 7.5 High2022-08-12
CVE-2022-22565 Dell Technologies Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 4.7 Medium2022-04-12

Vulnerabilities classified as CWE-612 (通过私有数据的索引导致的信息暴露) represent 9 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.