CWE-552
AllowedFiles or Directories Accessible to External Parties
Abstraction: Base · Status: Draft
The product makes files or directories accessible to unauthorized actors, even though they should not be.
670 vulnerabilities reference this CWE, most recent first.
GHSA-23H8-GGH4-VMHV
Vulnerability from github – Published: 2024-02-06 21:30 – Updated: 2025-05-15 21:31Aria Operations for Networks contains a local file read vulnerability. A malicious actor with admin privileges may exploit this vulnerability leading to unauthorized access to sensitive information.
{
"affected": [],
"aliases": [
"CVE-2024-22240"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-06T20:16:03Z",
"severity": "MODERATE"
},
"details": "Aria Operations for Networks contains a local file read vulnerability.\u00a0A malicious actor with admin privileges may exploit this vulnerability leading to unauthorized access to sensitive information.",
"id": "GHSA-23h8-ggh4-vmhv",
"modified": "2025-05-15T21:31:19Z",
"published": "2024-02-06T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22240"
},
{
"type": "WEB",
"url": "https://www.vmware.com/security/advisories/VMSA-2024-0002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-23J4-MW76-5V7H
Vulnerability from github – Published: 2024-05-14 20:14 – Updated: 2024-05-14 20:14Impact
Scrapy was following redirects regardless of the URL protocol, so redirects were working for data://, file://, ftp://, s3://, and any other scheme defined in the DOWNLOAD_HANDLERS setting.
However, HTTP redirects should only work between URLs that use the http:// or https:// schemes.
A malicious actor, given write access to the start requests (e.g. ability to define start_urls) of a spider and read access to the spider output, could exploit this vulnerability to:
- Redirect to any local file using the file:// scheme to read its contents.
- Redirect to an ftp:// URL of a malicious FTP server to obtain the FTP username and password configured in the spider or project.
- Redirect to any s3:// URL to read its content using the S3 credentials configured in the spider or project.
For file:// and s3://, how the spider implements its parsing of input data into an output item determines what data would be vulnerable. A spider that always outputs the entire contents of a response would be completely vulnerable, while a spider that extracted only fragments from the response could significantly limit vulnerable data.
Patches
Upgrade to Scrapy 2.11.2.
Workarounds
Replace the built-in retry middlewares (RedirectMiddleware and MetaRefreshMiddleware) with custom ones that implement the fix from Scrapy 2.11.2, and verify that they work as intended.
References
This security issue was reported by @mvsantos at https://github.com/scrapy/scrapy/issues/457.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Scrapy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-14T20:14:49Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nScrapy was following redirects regardless of the URL protocol, so redirects were working for `data://`, `file://`, `ftp://`, `s3://`, and any other scheme defined in the `DOWNLOAD_HANDLERS` setting.\n\nHowever, HTTP redirects should only work between URLs that use the `http://` or `https://` schemes.\n\nA malicious actor, given write access to the start requests (e.g. ability to define `start_urls`) of a spider and read access to the spider output, could exploit this vulnerability to:\n- Redirect to any local file using the `file://` scheme to read its contents.\n- Redirect to an `ftp://` URL of a malicious FTP server to obtain the FTP username and password configured in the spider or project.\n- Redirect to any `s3://` URL to read its content using the S3 credentials configured in the spider or project.\n\nFor `file://` and `s3://`, how the spider implements its parsing of input data into an output item determines what data would be vulnerable. A spider that always outputs the entire contents of a response would be completely vulnerable, while a spider that extracted only fragments from the response could significantly limit vulnerable data.\n\n### Patches\n\nUpgrade to Scrapy 2.11.2.\n\n### Workarounds\n\nReplace the built-in retry middlewares (`RedirectMiddleware` and `MetaRefreshMiddleware`) with custom ones that implement the fix from Scrapy 2.11.2, and verify that they work as intended.\n\n### References\n\nThis security issue was reported by @mvsantos at https://github.com/scrapy/scrapy/issues/457.\n",
"id": "GHSA-23j4-mw76-5v7h",
"modified": "2024-05-14T20:14:50Z",
"published": "2024-05-14T20:14:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-23j4-mw76-5v7h"
},
{
"type": "WEB",
"url": "https://github.com/scrapy/scrapy/issues/457"
},
{
"type": "WEB",
"url": "https://github.com/scrapy/scrapy/commit/36287cb665ab4b0c65fd53181c9a0ef04990ada6"
},
{
"type": "PACKAGE",
"url": "https://github.com/scrapy/scrapy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Scrapy allows redirect following in protocols other than HTTP"
}
GHSA-2425-R3XX-W4V7
Vulnerability from github – Published: 2023-10-24 00:31 – Updated: 2024-04-04 08:53carRental 1.0 is vulnerable to Incorrect Access Control (Arbitrary File Read on the Back-end System).
{
"affected": [],
"aliases": [
"CVE-2023-33517"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-23T23:15:38Z",
"severity": "HIGH"
},
"details": "carRental 1.0 is vulnerable to Incorrect Access Control (Arbitrary File Read on the Back-end System).",
"id": "GHSA-2425-r3xx-w4v7",
"modified": "2024-04-04T08:53:42Z",
"published": "2023-10-24T00:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33517"
},
{
"type": "WEB",
"url": "https://gist.github.com/wushigudan/288ab32566615d8897c1da7ce7204838"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2559-M273-3QPF
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11An information disclosure vulnerability in rConfig 3.9.5 has been fixed for version 3.9.6. This vulnerability allowed remote authenticated attackers to read files on the system via a crafted request sent to to the /lib/crud/configcompare.crud.php script.
{
"affected": [],
"aliases": [
"CVE-2020-25351"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-20T19:15:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability in rConfig 3.9.5 has been fixed for version 3.9.6. This vulnerability allowed remote authenticated attackers to read files on the system via a crafted request sent to to the /lib/crud/configcompare.crud.php script.",
"id": "GHSA-2559-m273-3qpf",
"modified": "2022-05-24T19:11:48Z",
"published": "2022-05-24T19:11:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25351"
},
{
"type": "WEB",
"url": "https://stark0de.com/2020/08/27/pwning-rconfig-part-one.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2579-38W7-JC76
Vulnerability from github – Published: 2025-11-10 21:30 – Updated: 2025-11-10 21:30IBM Cognos Analytics Certified Containers 12.1.0 could disclose package parameter information due to the presence of hidden pages.
{
"affected": [],
"aliases": [
"CVE-2025-33150"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-10T20:15:40Z",
"severity": "MODERATE"
},
"details": "IBM Cognos Analytics Certified Containers 12.1.0 could disclose package parameter information due to the presence of hidden pages.",
"id": "GHSA-2579-38w7-jc76",
"modified": "2025-11-10T21:30:36Z",
"published": "2025-11-10T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33150"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7250395"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2652-63HR-2GVH
Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2025-03-24 15:30mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fm_backups directory with a .htaccess file. This results in the ability for unauthenticated users to browse and download any site backups, which sometimes include full database backups, that the plugin has taken.
{
"affected": [],
"aliases": [
"CVE-2020-24312"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-26T13:15:00Z",
"severity": "MODERATE"
},
"details": "mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fm_backups directory with a .htaccess file. This results in the ability for unauthenticated users to browse and download any site backups, which sometimes include full database backups, that the plugin has taken.",
"id": "GHSA-2652-63hr-2gvh",
"modified": "2025-03-24T15:30:32Z",
"published": "2022-05-24T17:26:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24312"
},
{
"type": "WEB",
"url": "https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-26GM-RMPQ-M43W
Vulnerability from github – Published: 2026-03-06 15:31 – Updated: 2026-03-06 15:31EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers to access sensitive files by requesting them directly from the files directory. Attackers can send GET requests to the files directory to download database files like db.sq3 containing application data and credentials.
{
"affected": [],
"aliases": [
"CVE-2018-25164"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-06T13:15:57Z",
"severity": "HIGH"
},
"details": "EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers to access sensitive files by requesting them directly from the files directory. Attackers can send GET requests to the files directory to download database files like db.sq3 containing application data and credentials.",
"id": "GHSA-26gm-rmpq-m43w",
"modified": "2026-03-06T15:31:29Z",
"published": "2026-03-06T15:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25164"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45868"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/eversync-arbitrary-file-download-via-files-directory"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2739-P2PG-H53M
Vulnerability from github – Published: 2022-10-11 12:00 – Updated: 2022-10-12 19:00The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.
{
"affected": [],
"aliases": [
"CVE-2022-2981"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-10T21:15:00Z",
"severity": "MODERATE"
},
"details": "The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.",
"id": "GHSA-2739-p2pg-h53m",
"modified": "2022-10-12T19:00:35Z",
"published": "2022-10-11T12:00:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2981"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/30ce32ce-161c-4388-8d22-751350b7b305"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-274C-RX2J-2V3X
Vulnerability from github – Published: 2023-01-18 18:30 – Updated: 2025-04-04 19:35An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed).
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "swift"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.28.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "swift"
},
"ranges": [
{
"events": [
{
"introduced": "2.29.0"
},
{
"fixed": "2.29.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "swift"
},
"ranges": [
{
"events": [
{
"introduced": "2.30.0"
},
{
"fixed": "2.30.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.30.0"
]
}
],
"aliases": [
"CVE-2022-47950"
],
"database_specific": {
"cwe_ids": [
"CWE-552",
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-14T21:30:33Z",
"nvd_published_at": "2023-01-18T17:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed).",
"id": "GHSA-274c-rx2j-2v3x",
"modified": "2025-04-04T19:35:40Z",
"published": "2023-01-18T18:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47950"
},
{
"type": "WEB",
"url": "https://github.com/openstack/swift/commit/12e54391861e7d182d58f89fb88b027e65842640"
},
{
"type": "WEB",
"url": "https://github.com/openstack/swift/commit/7d13d1a82e1f5d01205a13184907501b4fcbe2b0"
},
{
"type": "WEB",
"url": "https://github.com/openstack/swift/commit/8dd96470a859dc7b189404fb67bd3899ae9c617f"
},
{
"type": "WEB",
"url": "https://github.com/openstack/swift/commit/b8467e190f6fc67fd8fb6a8c5e32b2aa6a10fd8e"
},
{
"type": "WEB",
"url": "https://github.com/openstack/swift/commit/baa98848451b5c234443a068691e12841a5a8383"
},
{
"type": "WEB",
"url": "https://github.com/openstack/swift/commit/c834e7a53d5a33a3fd13ffd954e6f4f4ee953dfc"
},
{
"type": "WEB",
"url": "https://github.com/openstack/swift/commit/d8d04ef43c90079d436b2e49617b4425ba39c28e"
},
{
"type": "WEB",
"url": "https://github.com/openstack/swift/commit/f10672514217adadfc776d9ea2ffb20a37ce073b"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/swift"
},
{
"type": "WEB",
"url": "https://launchpad.net/bugs/1998625"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00021.html"
},
{
"type": "WEB",
"url": "https://security.openstack.org/ossa/OSSA-2023-001.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5327"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenStack Swift XML external entities (XXE) Injection"
}
GHSA-276Q-X642-X3GW
Vulnerability from github – Published: 2022-02-25 00:01 – Updated: 2022-03-04 00:00HorizontCMS v1.0.0-beta.2 was discovered to contain an arbitrary file download vulnerability via the component /admin/file-manager/.
{
"affected": [],
"aliases": [
"CVE-2022-25104"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-24T15:15:00Z",
"severity": "HIGH"
},
"details": "HorizontCMS v1.0.0-beta.2 was discovered to contain an arbitrary file download vulnerability via the component /admin/file-manager/.",
"id": "GHSA-276q-x642-x3gw",
"modified": "2022-03-04T00:00:33Z",
"published": "2022-02-25T00:01:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25104"
},
{
"type": "WEB",
"url": "https://github.com/ttimot24/HorizontCMS/issues/43"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.
CAPEC-150: Collect Data from Common Resource Locations
An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.
CAPEC-639: Probe System Files
An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.