CWE-552
AllowedFiles or Directories Accessible to External Parties
Abstraction: Base · Status: Draft
The product makes files or directories accessible to unauthorized actors, even though they should not be.
670 vulnerabilities reference this CWE, most recent first.
GHSA-58W9-H6F7-F979
Vulnerability from github – Published: 2022-08-24 00:00 – Updated: 2022-08-31 00:00A flaw was found in glib before version 2.63.6. Due to random charset alias, pkexec can leak content from files owned by privileged users to unprivileged ones under the right condition.
{
"affected": [],
"aliases": [
"CVE-2021-3800"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-23T16:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in glib before version 2.63.6. Due to random charset alias, pkexec can leak content from files owned by privileged users to unprivileged ones under the right condition.",
"id": "GHSA-58w9-h6f7-f979",
"modified": "2022-08-31T00:00:21Z",
"published": "2022-08-24T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3800"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2021-3800"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1938284"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/glib/-/commit/3529bb4450a51995"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00020.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20221028-0004"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2017/06/23/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-59G4-HPG3-3GCP
Vulnerability from github – Published: 2021-12-14 21:44 – Updated: 2022-01-04 18:53Opencast before version 10.6 allows references to local file URLs in ingested media packages, allowing attackers to include local files from Opencast's host machines and making them available via the web interface.
Impact
Before Opencast 10.6, Opencast would open and include local files during ingests. Attackers could exploit this to include most local files the process has read access to, extracting secrets from the host machine.
For example, to expose the custom.properties of develop.opencast.org via the asset manager, an attacker could have run:
curl -f -i -u admin:opencast \
https://develop.opencast.org/ingest/addMediaPackage/fast \
-F 'flavor=presenter/source'\
-F mediaUri=file:///srv/opencast/opencast-dist-allinone/etc/custom.properties\
-F title="custom.properties"
An attacker would need to have the privileges required to add new media to exploit this. But these are often widely given.
Patches
The issue has been fixed in Opencast 10.6 and 11.0.
Workarounds
You can mitigate this issue by narrowing down the read access Opencast has to files on the file system using UNIX permissions or mandatory access control systems like SELinux. This cannot prevent access to files Opencast needs to read though and we highly recommend updating.
References
For more information
If you have any questions or comments about this advisory: * Open an issue in our issue tracker * Email us at security@opencast.org
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.opencastproject:opencast-ingest-service-impl"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-43821"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2021-12-14T19:29:54Z",
"nvd_published_at": "2021-12-14T20:15:00Z",
"severity": "CRITICAL"
},
"details": "Opencast before version 10.6 allows references to local file URLs in ingested media packages, allowing attackers to include local files from Opencast\u0027s host machines and making them available via the web interface.\n\n### Impact\n\nBefore Opencast 10.6, Opencast would [open and include local files during ingests](https://github.com/opencast/opencast/blob/69952463971cf578363e3b97d8edaf334ff51253/modules/ingest-service-impl/src/main/java/org/opencastproject/ingest/impl/IngestServiceImpl.java#L1587). Attackers could exploit this to include most local files the process has read access to, extracting secrets from the host machine.\n\nFor example, to expose the `custom.properties` of develop.opencast.org via the asset manager, an attacker could have run:\n\n```\ncurl -f -i -u admin:opencast \\\n https://develop.opencast.org/ingest/addMediaPackage/fast \\\n -F \u0027flavor=presenter/source\u0027\\\n -F mediaUri=file:///srv/opencast/opencast-dist-allinone/etc/custom.properties\\\n -F title=\"custom.properties\" \n```\n\nAn attacker would need to have the privileges required to add new media to exploit this. But these are often widely given.\n\n\n### Patches\n\nThe issue has been fixed in Opencast 10.6 and 11.0.\n\n### Workarounds\n\nYou can mitigate this issue by narrowing down the read access Opencast has to files on the file system using UNIX permissions or mandatory access control systems like SELinux. This cannot prevent access to files Opencast needs to read though and we highly recommend updating.\n\n### References\n\n- [Example of problematic code](https://github.com/opencast/opencast/blob/69952463971cf578363e3b97d8edaf334ff51253/modules/ingest-service-impl/src/main/java/org/opencastproject/ingest/impl/IngestServiceImpl.java#L1587).\n- [Patch fixing the issue](https://github.com/opencast/opencast/commit/65c46b9d3e8f045c544881059923134571897764)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [our issue tracker](https://github.com/opencast/opencast/issues)\n* Email us at [security@opencast.org](mailto:security@opencast.org)\n",
"id": "GHSA-59g4-hpg3-3gcp",
"modified": "2022-01-04T18:53:43Z",
"published": "2021-12-14T21:44:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opencast/opencast/security/advisories/GHSA-59g4-hpg3-3gcp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43821"
},
{
"type": "WEB",
"url": "https://github.com/opencast/opencast/commit/65c46b9d3e8f045c544881059923134571897764"
},
{
"type": "PACKAGE",
"url": "https://github.com/opencast/opencast"
},
{
"type": "WEB",
"url": "https://github.com/opencast/opencast/blob/69952463971cf578363e3b97d8edaf334ff51253/modules/ingest-service-impl/src/main/java/org/opencastproject/ingest/impl/IngestServiceImpl.java#L1587"
},
{
"type": "WEB",
"url": "https://mvnrepository.com/artifact/org.opencastproject/opencast-ingest-service-impl"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Files Accessible to External Parties in Opencast"
}
GHSA-59W9-V72G-J4RG
Vulnerability from github – Published: 2022-11-29 18:30 – Updated: 2022-12-02 15:30WAVLINK Quantum D4G (WL-WN531G3) running firmware versions M31G3.V5030.201204 and M31G3.V5030.200325 has an access control issue which allows unauthenticated attackers to download configuration data and log files.
{
"affected": [],
"aliases": [
"CVE-2022-44356"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-29T17:15:00Z",
"severity": "HIGH"
},
"details": "WAVLINK Quantum D4G (WL-WN531G3) running firmware versions M31G3.V5030.201204 and M31G3.V5030.200325 has an access control issue which allows unauthenticated attackers to download configuration data and log files.",
"id": "GHSA-59w9-v72g-j4rg",
"modified": "2022-12-02T15:30:26Z",
"published": "2022-11-29T18:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44356"
},
{
"type": "WEB",
"url": "https://github.com/strik3r0x1/Vulns/blob/main/Wavlink%20WL-WN531G3.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5CQ6-9F97-WJWX
Vulnerability from github – Published: 2026-05-16 00:31 – Updated: 2026-05-16 03:31Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified.
{
"affected": [],
"aliases": [
"CVE-2026-8704"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-15T23:16:21Z",
"severity": null
},
"details": "Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified.",
"id": "GHSA-5cq6-9f97-wjwx",
"modified": "2026-05-16T03:31:27Z",
"published": "2026-05-16T00:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8704"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.20/changes"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.20/diff/TIMLEGGE/Crypt-DSA-1.19#lib/Crypt/DSA/Key.pm"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/15/27"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5CV5-89GG-486R
Vulnerability from github – Published: 2023-11-13 18:30 – Updated: 2023-11-13 18:30Improper input validation vulnerability in ChooserActivity prior to SMR Nov-2023 Release 1 allows local attackers to read arbitrary files with system privilege.
{
"affected": [],
"aliases": [
"CVE-2023-42534"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T08:15:17Z",
"severity": "MODERATE"
},
"details": "Improper input validation vulnerability in ChooserActivity prior to SMR Nov-2023 Release 1 allows local attackers to read arbitrary files with system privilege.",
"id": "GHSA-5cv5-89gg-486r",
"modified": "2023-11-13T18:30:59Z",
"published": "2023-11-13T18:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42534"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2023\u0026month=11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5CXQ-3V7P-39J8
Vulnerability from github – Published: 2026-01-07 12:31 – Updated: 2026-01-07 12:31The WP-Members Membership Plugin for WordPress is vulnerable to unauthorized file access in versions up to, and including, 3.5.4.4. This is due to storing user-uploaded files in predictable directories (wp-content/uploads/wpmembers/user_files//) without implementing proper access controls beyond basic directory listing protection (.htaccess with Options -Indexes). This makes it possible for unauthenticated attackers to directly access and download sensitive documents uploaded by site users via direct URL access, granted they can guess or enumerate user IDs and filenames.
{
"affected": [],
"aliases": [
"CVE-2025-12648"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-07T12:16:47Z",
"severity": "MODERATE"
},
"details": "The WP-Members Membership Plugin for WordPress is vulnerable to unauthorized file access in versions up to, and including, 3.5.4.4. This is due to storing user-uploaded files in predictable directories (wp-content/uploads/wpmembers/user_files/\u003cuser_id\u003e/) without implementing proper access controls beyond basic directory listing protection (.htaccess with Options -Indexes). This makes it possible for unauthenticated attackers to directly access and download sensitive documents uploaded by site users via direct URL access, granted they can guess or enumerate user IDs and filenames.",
"id": "GHSA-5cxq-3v7p-39j8",
"modified": "2026-01-07T12:31:20Z",
"published": "2026-01-07T12:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12648"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-members/trunk/includes/admin/class-wp-members-admin-api.php#L707"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-members/trunk/includes/class-wp-members-forms.php#L604"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3427043/wp-members/trunk/includes/class-wp-members-forms.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9d0154fd-0cab-4445-a92e-c44ae9931479?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5FX5-CFF6-F3FP
Vulnerability from github – Published: 2025-08-20 15:31 – Updated: 2025-12-20 02:44Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows unauthenticated users (guests) to access via URL files uploaded in the form and stored in document_library.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.portal.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.4.0-ga1"
},
{
"last_affected": "7.4.3.132-ga132"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-43749"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-20T20:46:58Z",
"nvd_published_at": "2025-08-20T13:15:27Z",
"severity": "MODERATE"
},
"details": "Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows unauthenticated users (guests) to access via URL files uploaded in the form and stored in document_library.",
"id": "GHSA-5fx5-cff6-f3fp",
"modified": "2025-12-20T02:44:54Z",
"published": "2025-08-20T15:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43749"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/5919534a979a97444172f49705b7a224e372e625"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/b88e7e0912d27cc166fc788b642616ece9e8c484"
},
{
"type": "PACKAGE",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://liferay.atlassian.net/browse/LPE-18176"
},
{
"type": "WEB",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43749"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Liferay Portal Unauthenticated File Access via URL"
}
GHSA-5GJ5-VJR8-VV8H
Vulnerability from github – Published: 2022-02-22 00:00 – Updated: 2022-03-01 00:00This affects the package drogonframework/drogon before 1.7.5. The unsafe handling of file names during upload using HttpFile::save() method may enable attackers to write files to arbitrary locations outside the designated target folder.
{
"affected": [],
"aliases": [
"CVE-2022-25297"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-21T08:15:00Z",
"severity": "HIGH"
},
"details": "This affects the package drogonframework/drogon before 1.7.5. The unsafe handling of file names during upload using HttpFile::save() method may enable attackers to write files to arbitrary locations outside the designated target folder.",
"id": "GHSA-5gj5-vjr8-vv8h",
"modified": "2022-03-01T00:00:44Z",
"published": "2022-02-22T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25297"
},
{
"type": "WEB",
"url": "https://github.com/drogonframework/drogon/pull/1174"
},
{
"type": "WEB",
"url": "https://github.com/drogonframework/drogon/commit/3c785326c63a34aa1799a639ae185bc9453cb447"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-UNMANAGED-DROGONFRAMEWORKDROGON-2407243"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5GQ3-CCFH-828V
Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-09-15 15:31Elevation of Privileges in the cleaning feature of Gen Digital CCleaner version 6.33.11465 on Windows allows a local user to gain SYSTEM privileges via exploiting insecure file delete operations. Reported in CCleaner v. 6.33.11465. This issue affects CCleaner: before < 6.36.11508.
{
"affected": [],
"aliases": [
"CVE-2025-3025"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T13:15:36Z",
"severity": "HIGH"
},
"details": "Elevation of Privileges in the cleaning feature of Gen Digital CCleaner version 6.33.11465 on Windows allows a local user to gain SYSTEM privileges via exploiting insecure file delete operations. Reported in CCleaner v. 6.33.11465. This issue affects CCleaner: before \u003c 6.36.11508.",
"id": "GHSA-5gq3-ccfh-828v",
"modified": "2025-09-15T15:31:21Z",
"published": "2025-09-15T15:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3025"
},
{
"type": "WEB",
"url": "https://www.gendigital.com/us/en/contact-us/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5Q5G-57MW-WMQ6
Vulnerability from github – Published: 2025-12-18 18:30 – Updated: 2025-12-18 18:30due to insufficient sanitazation in Vega’s convert() function when safeMode is enabled and the spec variable is an array. An attacker can craft a malicious Vega diagram specification that will allow them to send requests to any URL, including local file system paths, leading to exposure of sensitive information.
{
"affected": [],
"aliases": [
"CVE-2025-14896"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-18T17:15:47Z",
"severity": "HIGH"
},
"details": "due to insufficient sanitazation in Vega\u2019s `convert()` function when `safeMode` is enabled and the spec variable is an array. An attacker can craft a malicious Vega diagram specification that will allow them to send requests to any URL, including local file system paths, leading to exposure of sensitive information.",
"id": "GHSA-5q5g-57mw-wmq6",
"modified": "2025-12-18T18:30:30Z",
"published": "2025-12-18T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14896"
},
{
"type": "WEB",
"url": "https://github.com/yuzutech/kroki/commit/f31093cd8a0a1d6999c43d560f62d1e82d59c77e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.
CAPEC-150: Collect Data from Common Resource Locations
An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.
CAPEC-639: Probe System Files
An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.