Common Weakness Enumeration

CWE-552

Allowed

Files or Directories Accessible to External Parties

Abstraction: Base · Status: Draft

The product makes files or directories accessible to unauthorized actors, even though they should not be.

670 vulnerabilities reference this CWE, most recent first.

GHSA-23H8-GGH4-VMHV

Vulnerability from github – Published: 2024-02-06 21:30 – Updated: 2025-05-15 21:31
VLAI
Details

Aria Operations for Networks contains a local file read vulnerability. A malicious actor with admin privileges may exploit this vulnerability leading to unauthorized access to sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22240"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-06T20:16:03Z",
    "severity": "MODERATE"
  },
  "details": "Aria Operations for Networks contains a local file read vulnerability.\u00a0A malicious actor with admin privileges may exploit this vulnerability leading to unauthorized access to sensitive information.",
  "id": "GHSA-23h8-ggh4-vmhv",
  "modified": "2025-05-15T21:31:19Z",
  "published": "2024-02-06T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22240"
    },
    {
      "type": "WEB",
      "url": "https://www.vmware.com/security/advisories/VMSA-2024-0002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-23J4-MW76-5V7H

Vulnerability from github – Published: 2024-05-14 20:14 – Updated: 2024-05-14 20:14
VLAI
Summary
Scrapy allows redirect following in protocols other than HTTP
Details

Impact

Scrapy was following redirects regardless of the URL protocol, so redirects were working for data://, file://, ftp://, s3://, and any other scheme defined in the DOWNLOAD_HANDLERS setting.

However, HTTP redirects should only work between URLs that use the http:// or https:// schemes.

A malicious actor, given write access to the start requests (e.g. ability to define start_urls) of a spider and read access to the spider output, could exploit this vulnerability to: - Redirect to any local file using the file:// scheme to read its contents. - Redirect to an ftp:// URL of a malicious FTP server to obtain the FTP username and password configured in the spider or project. - Redirect to any s3:// URL to read its content using the S3 credentials configured in the spider or project.

For file:// and s3://, how the spider implements its parsing of input data into an output item determines what data would be vulnerable. A spider that always outputs the entire contents of a response would be completely vulnerable, while a spider that extracted only fragments from the response could significantly limit vulnerable data.

Patches

Upgrade to Scrapy 2.11.2.

Workarounds

Replace the built-in retry middlewares (RedirectMiddleware and MetaRefreshMiddleware) with custom ones that implement the fix from Scrapy 2.11.2, and verify that they work as intended.

References

This security issue was reported by @mvsantos at https://github.com/scrapy/scrapy/issues/457.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Scrapy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-552"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-14T20:14:49Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nScrapy was following redirects regardless of the URL protocol, so redirects were working for `data://`, `file://`, `ftp://`, `s3://`, and any other scheme defined in the `DOWNLOAD_HANDLERS` setting.\n\nHowever, HTTP redirects should only work between URLs that use the `http://` or `https://` schemes.\n\nA malicious actor, given write access to the start requests (e.g. ability to define `start_urls`) of a spider and read access to the spider output, could exploit this vulnerability to:\n- Redirect to any local file using the `file://` scheme to read its contents.\n- Redirect to an `ftp://` URL of a malicious FTP server to obtain the FTP username and password configured in the spider or project.\n- Redirect to any `s3://` URL to read its content using the S3 credentials configured in the spider or project.\n\nFor `file://` and `s3://`, how the spider implements its parsing of input data into an output item determines what data would be vulnerable. A spider that always outputs the entire contents of a response would be completely vulnerable, while a spider that extracted only fragments from the response could significantly limit vulnerable data.\n\n### Patches\n\nUpgrade to Scrapy 2.11.2.\n\n### Workarounds\n\nReplace the built-in retry middlewares (`RedirectMiddleware` and `MetaRefreshMiddleware`) with custom ones that implement the fix from Scrapy 2.11.2, and verify that they work as intended.\n\n### References\n\nThis security issue was reported by @mvsantos at https://github.com/scrapy/scrapy/issues/457.\n",
  "id": "GHSA-23j4-mw76-5v7h",
  "modified": "2024-05-14T20:14:50Z",
  "published": "2024-05-14T20:14:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-23j4-mw76-5v7h"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scrapy/scrapy/issues/457"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scrapy/scrapy/commit/36287cb665ab4b0c65fd53181c9a0ef04990ada6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/scrapy/scrapy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Scrapy allows redirect following in protocols other than HTTP"
}

GHSA-2425-R3XX-W4V7

Vulnerability from github – Published: 2023-10-24 00:31 – Updated: 2024-04-04 08:53
VLAI
Details

carRental 1.0 is vulnerable to Incorrect Access Control (Arbitrary File Read on the Back-end System).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-33517"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-23T23:15:38Z",
    "severity": "HIGH"
  },
  "details": "carRental 1.0 is vulnerable to Incorrect Access Control (Arbitrary File Read on the Back-end System).",
  "id": "GHSA-2425-r3xx-w4v7",
  "modified": "2024-04-04T08:53:42Z",
  "published": "2023-10-24T00:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33517"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/wushigudan/288ab32566615d8897c1da7ce7204838"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2559-M273-3QPF

Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11
VLAI
Details

An information disclosure vulnerability in rConfig 3.9.5 has been fixed for version 3.9.6. This vulnerability allowed remote authenticated attackers to read files on the system via a crafted request sent to to the /lib/crud/configcompare.crud.php script.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-25351"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-20T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability in rConfig 3.9.5 has been fixed for version 3.9.6. This vulnerability allowed remote authenticated attackers to read files on the system via a crafted request sent to to the /lib/crud/configcompare.crud.php script.",
  "id": "GHSA-2559-m273-3qpf",
  "modified": "2022-05-24T19:11:48Z",
  "published": "2022-05-24T19:11:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25351"
    },
    {
      "type": "WEB",
      "url": "https://stark0de.com/2020/08/27/pwning-rconfig-part-one.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2579-38W7-JC76

Vulnerability from github – Published: 2025-11-10 21:30 – Updated: 2025-11-10 21:30
VLAI
Details

IBM Cognos Analytics Certified Containers 12.1.0 could disclose package parameter information due to the presence of hidden pages.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-33150"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-10T20:15:40Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cognos Analytics Certified Containers 12.1.0 could disclose package parameter information due to the presence of hidden pages.",
  "id": "GHSA-2579-38w7-jc76",
  "modified": "2025-11-10T21:30:36Z",
  "published": "2025-11-10T21:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33150"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7250395"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2652-63HR-2GVH

Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2025-03-24 15:30
VLAI
Details

mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fm_backups directory with a .htaccess file. This results in the ability for unauthenticated users to browse and download any site backups, which sometimes include full database backups, that the plugin has taken.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24312"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-552"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-26T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fm_backups directory with a .htaccess file. This results in the ability for unauthenticated users to browse and download any site backups, which sometimes include full database backups, that the plugin has taken.",
  "id": "GHSA-2652-63hr-2gvh",
  "modified": "2025-03-24T15:30:32Z",
  "published": "2022-05-24T17:26:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24312"
    },
    {
      "type": "WEB",
      "url": "https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-26GM-RMPQ-M43W

Vulnerability from github – Published: 2026-03-06 15:31 – Updated: 2026-03-06 15:31
VLAI
Details

EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers to access sensitive files by requesting them directly from the files directory. Attackers can send GET requests to the files directory to download database files like db.sq3 containing application data and credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-25164"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-06T13:15:57Z",
    "severity": "HIGH"
  },
  "details": "EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers to access sensitive files by requesting them directly from the files directory. Attackers can send GET requests to the files directory to download database files like db.sq3 containing application data and credentials.",
  "id": "GHSA-26gm-rmpq-m43w",
  "modified": "2026-03-06T15:31:29Z",
  "published": "2026-03-06T15:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25164"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/45868"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/eversync-arbitrary-file-download-via-files-directory"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2739-P2PG-H53M

Vulnerability from github – Published: 2022-10-11 12:00 – Updated: 2022-10-12 19:00
VLAI
Details

The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2981"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-10T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.",
  "id": "GHSA-2739-p2pg-h53m",
  "modified": "2022-10-12T19:00:35Z",
  "published": "2022-10-11T12:00:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2981"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/30ce32ce-161c-4388-8d22-751350b7b305"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-274C-RX2J-2V3X

Vulnerability from github – Published: 2023-01-18 18:30 – Updated: 2025-04-04 19:35
VLAI
Summary
OpenStack Swift XML external entities (XXE) Injection
Details

An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "swift"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.28.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "swift"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.29.0"
            },
            {
              "fixed": "2.29.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "swift"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.30.0"
            },
            {
              "fixed": "2.30.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.30.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-47950"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552",
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-14T21:30:33Z",
    "nvd_published_at": "2023-01-18T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed).",
  "id": "GHSA-274c-rx2j-2v3x",
  "modified": "2025-04-04T19:35:40Z",
  "published": "2023-01-18T18:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47950"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/swift/commit/12e54391861e7d182d58f89fb88b027e65842640"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/swift/commit/7d13d1a82e1f5d01205a13184907501b4fcbe2b0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/swift/commit/8dd96470a859dc7b189404fb67bd3899ae9c617f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/swift/commit/b8467e190f6fc67fd8fb6a8c5e32b2aa6a10fd8e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/swift/commit/baa98848451b5c234443a068691e12841a5a8383"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/swift/commit/c834e7a53d5a33a3fd13ffd954e6f4f4ee953dfc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/swift/commit/d8d04ef43c90079d436b2e49617b4425ba39c28e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/swift/commit/f10672514217adadfc776d9ea2ffb20a37ce073b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openstack/swift"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.net/bugs/1998625"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00021.html"
    },
    {
      "type": "WEB",
      "url": "https://security.openstack.org/ossa/OSSA-2023-001.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5327"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenStack Swift XML external entities (XXE) Injection"
}

GHSA-276Q-X642-X3GW

Vulnerability from github – Published: 2022-02-25 00:01 – Updated: 2022-03-04 00:00
VLAI
Details

HorizontCMS v1.0.0-beta.2 was discovered to contain an arbitrary file download vulnerability via the component /admin/file-manager/.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-25104"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-24T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "HorizontCMS v1.0.0-beta.2 was discovered to contain an arbitrary file download vulnerability via the component /admin/file-manager/.",
  "id": "GHSA-276q-x642-x3gw",
  "modified": "2022-03-04T00:00:33Z",
  "published": "2022-02-25T00:01:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25104"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ttimot24/HorizontCMS/issues/43"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.

CAPEC-150: Collect Data from Common Resource Locations

An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.

CAPEC-639: Probe System Files

An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.