CWE-612 通过私有数据的索引导致的信息暴露

admin 2021年12月16日16:17:45评论29 views字数 1145阅读3分49秒阅读模式

CWE-612 通过私有数据的索引导致的信息暴露

Information Exposure Through Indexing of Private Data

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: unkown

基本描述

The product performs an indexing routine against private documents, but does not sufficiently verify that the actors who can access the index also have the privileges to access the private documents.

扩展描述

When an indexing routine is applied against a group of private documents, and that index's results are available to outsiders who do not have access to those documents, then outsiders might be able to obtain sensitive information by conducting targeted searches. The risk is especially dangerous if search results include surrounding text that was not part of the search query. This issue can appear in search engines that are not configured (or implemented) to ignore critical files that should remain hidden; even without permissions to download these files directly, the remote user could read them.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 200 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 200 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Confidentiality Read Application Data

Notes

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
WASC 48 Insecure Indexing

文章来源于互联网:scap中文网

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年12月16日16:17:45
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CWE-612 通过私有数据的索引导致的信息暴露https://cn-sec.com/archives/613080.html

发表评论

匿名网友 填写信息