CWE-552
AllowedFiles or Directories Accessible to External Parties
Abstraction: Base · Status: Draft
The product makes files or directories accessible to unauthorized actors, even though they should not be.
670 vulnerabilities reference this CWE, most recent first.
GHSA-HQ76-6GH2-5G4Q
Vulnerability from github – Published: 2025-10-27 16:20 – Updated: 2025-12-01 16:06Summary
A malicious host may provide a crafted LUKS2 volume to a confidential computing guest that is using the OpenCryptDevice feature. The guest will open the volume and write secret data using a volume key known to the attacker. The attacker can also pre-load data on the device, which could potentially compromise guest execution.
LUKS2 volume metadata is not authenticated and supports null key-encryption algorithms, allowing an attacker to create a volume such that the volume: - Opens (cryptsetup open) without error using any passphrase or token - Records all writes in plaintext (or ciphertext with an attacker-known key) - Contains arbitrary data chosen by the attacker
Details
The Constellation CVM image uses LUKS2-encrypted volumes for persistent storage. When opening an encrypted storage device, the CVM uses the libcryptsetup function crypt_activate_by_passhrase. If the VM is successful in opening the partition with the disk encryption key, it treats the volume as confidential. However, due to the unsafe handling of null keyslot algorithms in the cryptsetup 2.8.1, it is possible that the opened volume is not encrypted at all.
Cryptsetup prior to version 2.8.1 does not report an error when processing LUKS2-formatted disks that use the cipher_null-ecb algorithm in the keyslot encryption field.
Impact
A LUKS2 disk encrypted with a master key, which is in turn encrypted with user passwords stored in some number of keyslots. By creating a malicious disk which sets the keyslot encryption algorithm to ”crypto_null-ecb”, an attacker can construct a disk such that keyslot decryption does not depend in any way on the enclave-held secret data. When a confidential guest opens such a device using cryptsetup open, the mapped disk is created without error, and any further writes to the disk are encrypted using an attacker-controlled key.
Patches
To protect against this and similar attacks, Constellation now performs detached reading of LUKS headers. The header is copied into the encrypted memory of the CVM and then verified. The verified header is then used to open the encrypted LUKS device in detached header mode. This was implemented in https://github.com/edgelesssys/constellation/pull/3927 and release as part of Constellation v2.24.0.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.23.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/edgelesssys/constellation/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-58356"
],
"database_specific": {
"cwe_ids": [
"CWE-347",
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-27T16:20:25Z",
"nvd_published_at": "2025-10-27T20:15:53Z",
"severity": "HIGH"
},
"details": "### Summary\nA malicious host may provide a crafted LUKS2 volume to a confidential computing guest that is using the [OpenCryptDevice](https://github.com/edgelesssys/constellation/blob/6eff250f16f8ae48221d412550e4a64a4bf0d77b/csi/cryptmapper/cryptmapper.go#L89) feature. The guest will open the volume and write secret data using a volume key known to the attacker. The attacker can also pre-load data on the device, which could potentially compromise guest execution.\n\n\nLUKS2 volume metadata is not authenticated and supports null key-encryption algorithms, allowing an attacker to create a volume such that the volume:\n- Opens (cryptsetup open) without error using any passphrase or token\n- Records all writes in plaintext (or ciphertext with an attacker-known key)\n- Contains arbitrary data chosen by the attacker\n\n\n### Details\nThe Constellation CVM image uses LUKS2-encrypted volumes for persistent storage. When opening an encrypted storage device, the CVM uses the `libcryptsetup` function [crypt_activate_by_passhrase](https://github.com/martinjungblut/go-cryptsetup/blob/fd0874fd07a6e477f0a4d18f2e80234983afe74f/device.go#L261). If the VM is successful in opening the partition with the disk encryption key, it treats the volume as confidential. However, due to the unsafe handling of null keyslot algorithms in the cryptsetup 2.8.1, it is possible that the opened volume is not encrypted at all.\n\nCryptsetup prior to version 2.8.1 does not report an error when processing LUKS2-formatted disks that use the `cipher_null-ecb` algorithm in the keyslot `encryption` field.\n\n### Impact\n\nA LUKS2 disk encrypted with a master key, which is in turn encrypted with user passwords stored in some number of keyslots. By creating a malicious disk which sets the keyslot encryption algorithm to `\u201dcrypto_null-ecb\u201d`, an attacker can construct a disk such that keyslot decryption does not depend in any way on the enclave-held secret data. When a confidential guest opens such a device using `cryptsetup open`, the mapped disk is created without error, and any further writes to the disk are encrypted using an attacker-controlled key.\n\n### Patches\n\nTo protect against this and similar attacks, Constellation now performs detached reading of LUKS headers. The header is copied into the encrypted memory of the CVM and then verified. The verified header is then used to open the encrypted LUKS device in detached header mode. This was implemented in https://github.com/edgelesssys/constellation/pull/3927 and release as part of [Constellation v2.24.0](https://github.com/edgelesssys/constellation/releases/tag/v2.24.0).",
"id": "GHSA-hq76-6gh2-5g4q",
"modified": "2025-12-01T16:06:06Z",
"published": "2025-10-27T16:20:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/edgelesssys/constellation/security/advisories/GHSA-hq76-6gh2-5g4q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58356"
},
{
"type": "WEB",
"url": "https://github.com/edgelesssys/constellation/pull/3927"
},
{
"type": "WEB",
"url": "https://github.com/edgelesssys/constellation/commit/bb8d2c8a5c0a0a6510d2cc43055be21f4a3ab83c"
},
{
"type": "WEB",
"url": "https://blog.trailofbits.com/2025/10/30/vulnerabilities-in-luks2-disk-encryption-for-confidential-vms"
},
{
"type": "PACKAGE",
"url": "https://github.com/edgelesssys/constellation"
},
{
"type": "WEB",
"url": "https://github.com/edgelesssys/constellation/releases/tag/v2.24.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Constellation has insecure LUKS2 persistent storage partitions which may be opened and used"
}
GHSA-HWH5-9MFV-G2M5
Vulnerability from github – Published: 2021-12-09 00:00 – Updated: 2021-12-14 00:01Insecure caller check in sharevia deeplink logic prior to Samsung Internet 16.0.2 allows unstrusted applications to get current tab URL in Samsung Internet.
{
"affected": [],
"aliases": [
"CVE-2021-25521"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-08T15:15:00Z",
"severity": "LOW"
},
"details": "Insecure caller check in sharevia deeplink logic prior to Samsung Internet 16.0.2 allows unstrusted applications to get current tab URL in Samsung Internet.",
"id": "GHSA-hwh5-9mfv-g2m5",
"modified": "2021-12-14T00:01:37Z",
"published": "2021-12-09T00:00:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25521"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=12"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HX9X-77VG-HM99
Vulnerability from github – Published: 2024-11-12 06:30 – Updated: 2024-11-12 06:30Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) a Files or Directories Accessible to External Parties vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Filesystem access for attacker.
{
"affected": [],
"aliases": [
"CVE-2024-48838"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-12T04:15:05Z",
"severity": "LOW"
},
"details": "Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) a Files or Directories Accessible to External Parties vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Filesystem access for attacker.",
"id": "GHSA-hx9x-77vg-hm99",
"modified": "2024-11-12T06:30:34Z",
"published": "2024-11-12T06:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48838"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000247217/dsa-2024-425-security-update-for-dell-networking-os10-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HXHM-29VV-C6H2
Vulnerability from github – Published: 2025-07-30 21:31 – Updated: 2025-07-30 21:31Dell SmartFabric OS10 Software, versions prior to 10.6.0.5 contains a Files or Directories Accessible to External Parties vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Filesystem access for attacker.
{
"affected": [],
"aliases": [
"CVE-2025-30103"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-30T19:15:47Z",
"severity": "MODERATE"
},
"details": "Dell SmartFabric OS10 Software, versions prior to 10.6.0.5 contains a Files or Directories Accessible to External Parties vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Filesystem access for attacker.",
"id": "GHSA-hxhm-29vv-c6h2",
"modified": "2025-07-30T21:31:38Z",
"published": "2025-07-30T21:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30103"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000346195/dsa-2025-259-security-update-for-dell-networking-os10-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J442-3QC2-XXC9
Vulnerability from github – Published: 2022-04-22 00:00 – Updated: 2022-05-03 00:00KiteCMS v1.1.1 was discovered to contain an arbitrary file read vulnerability via the background management module.
{
"affected": [],
"aliases": [
"CVE-2022-28445"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-21T20:15:00Z",
"severity": "MODERATE"
},
"details": "KiteCMS v1.1.1 was discovered to contain an arbitrary file read vulnerability via the background management module.",
"id": "GHSA-j442-3qc2-xxc9",
"modified": "2022-05-03T00:00:49Z",
"published": "2022-04-22T00:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28445"
},
{
"type": "WEB",
"url": "https://github.com/k0xx11/bug_report/blob/main/kitecms/Arbitrary-file-reading-1.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J5MX-VVX4-94PW
Vulnerability from github – Published: 2022-05-24 17:13 – Updated: 2022-05-24 17:13Information Exposure vulnerability in eXtplorer makes the /usr/ and /etc/extplorer/ system directories world-accessible over HTTP. Introduced in the Makefile patch file debian/patches/debian-changes-2.1.0b6+dfsg-1 or debian/patches/adds-a-makefile.patch, this can lead to data leakage, information disclosure and potentially remote code execution on the web server. This issue affects all versions of eXtplorer in Ubuntu and Debian
{
"affected": [],
"aliases": [
"CVE-2019-7305"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-10T00:15:00Z",
"severity": "HIGH"
},
"details": "Information Exposure vulnerability in eXtplorer makes the /usr/ and /etc/extplorer/ system directories world-accessible over HTTP. Introduced in the Makefile patch file debian/patches/debian-changes-2.1.0b6+dfsg-1 or debian/patches/adds-a-makefile.patch, this can lead to data leakage, information disclosure and potentially remote code execution on the web server. This issue affects all versions of eXtplorer in Ubuntu and Debian",
"id": "GHSA-j5mx-vvx4-94pw",
"modified": "2022-05-24T17:13:59Z",
"published": "2022-05-24T17:13:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7305"
},
{
"type": "WEB",
"url": "https://launchpad.net/bugs/1822013"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J6H7-R25F-WGWW
Vulnerability from github – Published: 2023-10-04 18:30 – Updated: 2024-01-25 18:30A vulnerability in the on-device application development workflow feature for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an authenticated, remote attacker to access the underlying operating system as the root user.
This vulnerability exists because Docker containers with the privileged runtime option are not blocked when they are in application development mode. An attacker could exploit this vulnerability by using the Docker CLI to access an affected device. The application development workflow is meant to be used only on development systems and not in production systems.
{
"affected": [],
"aliases": [
"CVE-2023-20235"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-04T17:15:09Z",
"severity": "HIGH"
},
"details": "A vulnerability in the on-device application development workflow feature for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an authenticated, remote attacker to access the underlying operating system as the root user.\n\n This vulnerability exists because Docker containers with the privileged runtime option are not blocked when they are in application development mode. An attacker could exploit this vulnerability by using the Docker CLI to access an affected device. The application development workflow is meant to be used only on development systems and not in production systems.",
"id": "GHSA-j6h7-r25f-wgww",
"modified": "2024-01-25T18:30:44Z",
"published": "2023-10-04T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20235"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rdocker-uATbukKn"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J6VX-R77H-44WC
Vulnerability from github – Published: 2024-08-02 12:31 – Updated: 2025-03-27 23:33In Apache Linkis <= 1.5.0, Arbitrary file deletion in Basic management services on a user with an administrator account could delete any file accessible by the Linkis system user. Users are recommended to upgrade to version 1.6.0, which fixes this issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.linkis:linkis"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-27182"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-02T15:16:07Z",
"nvd_published_at": "2024-08-02T10:16:00Z",
"severity": "HIGH"
},
"details": "In Apache Linkis \u003c= 1.5.0, Arbitrary file deletion in Basic management services on a user with an administrator account could delete any file accessible by the Linkis system user. Users are recommended to upgrade to version 1.6.0, which fixes this issue.",
"id": "GHSA-j6vx-r77h-44wc",
"modified": "2025-03-27T23:33:57Z",
"published": "2024-08-02T12:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27182"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/linkis"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/2of1p433h8rbq2bx525rtftnk19oz38h"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/08/02/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Linkis arbitrary file deletion vulnerability"
}
GHSA-J7Q2-CXFQ-X3J6
Vulnerability from github – Published: 2022-08-09 00:00 – Updated: 2022-08-13 00:00The WSM Downloader WordPress plugin through 1.4.0 allows any visitor to use its remote file download feature to download any local files, including sensitive ones like wp-config.php.
{
"affected": [],
"aliases": [
"CVE-2022-2357"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-08T14:15:00Z",
"severity": "HIGH"
},
"details": "The WSM Downloader WordPress plugin through 1.4.0 allows any visitor to use its remote file download feature to download any local files, including sensitive ones like wp-config.php.",
"id": "GHSA-j7q2-cxfq-x3j6",
"modified": "2022-08-13T00:00:52Z",
"published": "2022-08-09T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2357"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/42499b84-684e-42e1-b7f0-de206d4da553"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J7XG-86Q3-CW3P
Vulnerability from github – Published: 2025-08-20 18:30 – Updated: 2025-08-20 18:30ContentKeeper Web Appliance (now maintained by Impero Software) versions prior to 125.10 expose the mimencode binary via a CGI endpoint, allowing unauthenticated attackers to retrieve arbitrary files from the filesystem. By crafting a POST request to /cgi-bin/ck/mimencode with traversal and output parameters, attackers can read sensitive files such as /etc/passwd outside the webroot.
{
"affected": [],
"aliases": [
"CVE-2009-10005"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-20T16:15:32Z",
"severity": "HIGH"
},
"details": "ContentKeeper Web Appliance (now maintained by Impero Software) versions prior to 125.10 expose the mimencode binary via a CGI endpoint, allowing unauthenticated attackers to retrieve arbitrary files from the filesystem. By crafting a POST request to /cgi-bin/ck/mimencode with traversal and output parameters, attackers can read sensitive files such as /etc/passwd outside the webroot.",
"id": "GHSA-j7xg-86q3-cw3p",
"modified": "2025-08-20T18:30:21Z",
"published": "2025-08-20T18:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-10005"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20100325220542/http://www.contentkeeper.com"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/16923"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/contentkeeper-web-appliance-arbitrary-file-access-via-mimencode"
},
{
"type": "WEB",
"url": "http://www.aushack.com/200904-contentkeeper.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.
CAPEC-150: Collect Data from Common Resource Locations
An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.
CAPEC-639: Probe System Files
An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.