CWE-538 文件和路径信息暴露
File and Directory Information Exposure
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: unkown
基本描述
The product stores sensitive information in files or directories that are accessible to actors outside of the intended control sphere.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 200 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 200 cwe_View_ID: 699 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Confidentiality | Read Files or Directories |
可能的缓解方案
['Architecture and Design', 'Operation', 'System Configuration']
策略:
Do not expose file and directory information to the user.
Notes
Maintenance
Depending on usage, this could be a weakness or a category. Further study of all its children is needed, and the entire sub-tree may need to be clarified. The current organization is based primarily on the exposure of sensitive information as a consequence, instead of as a primary weakness.
Maintenance
There is a close relationship with CWE-552, which is more focused on weaknesses. As a result, it may be more appropriate to convert CWE-538 to a category.
相关攻击模式
- CAPEC-95
引用
文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论