CWE-552 479 个 CVE MITRE 定义 ↗

CWE-552:Files or Directories Accessible to External Parties

概览

CWE-552(Files or Directories Accessible to External Parties)描述一种在漏洞数据库与安全评估中使用的弱点类型;定义、背景与映射 CVE 见下方各节。

安全影响
安全影响:因产品与场景而异;请结合 CVE 记录、严重度评分与 MITRE 说明进行优先级判断。

描述

The product makes files or directories accessible to unauthorized actors, even though they should not be.

适用平台

类型 名称 普遍性 OS / CPE
language Not Language-Specific Undetermined
technology Not Technology-Specific Undetermined
technology Cloud Computing Often

本库相关 CVE

下列 CVE 在本库中映射到该弱点,并保留以便追溯与检索。

CVE 公开时间 摘要
CVE-2026-59703 2026-07-08 repomix contains a local file inclusion vulnerability in the git clone endpoint that allows unauthenticated attackers to read arbitrary local git repositories. The isValidRemoteValue function in src/c…
CVE-2026-13533 2026-06-29 A security vulnerability has been detected in agentejo Cockpit CMS up to 0.12.2. Affected by this issue is the function Spyc::YAMLLoad of the file /config/config.yaml of the component htaccess Handler…
CVE-2025-66389 2026-06-22 GitHub Copilot 1.372.0 allows filesystem access outside of a workspace folder (without user approval) via a file-handler URI parameter to fetch_webpage. Therefore, exfiltration could occur if there is…
CVE-2026-40624 2026-06-18 Improper input validation in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras may allow a remote, unauthenticated attacker to achieve arbitrary code execution via a specially crafted web request.
CVE-2025-14771 2026-06-03 Files or directories accessible to external parties vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24.
CVE-2026-45543 2026-06-01 Nextcloud is an open source content collaboration platform. From version 4.3.0 to before version 5.2.7, a removed collaborator retains unauthorized read access to uploaded respondent files for the aff…
CVE-2026-40425 2026-05-29 The administrator account for the Danelec MacGregor Voyage Data Recorder web interface can directly edit sensitive files related to authentication, potentially changing the root password.
CVE-2026-45088 2026-05-27 Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the custom-payload-file field in model.Options is JSON-tagg…
CVE-2024-56462 2026-05-27 IBM QRadar 7.5.0 through 7.5.0 UP15 Interim Fix 002 could allow a privileged user to upload a malicious backup archive that could be restored and used to gain access to the underlying operating system…
CVE-2024-11399 2026-05-27 Files or directories accessible to external parties vulnerability in redis-server component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to conduct denial-of-service attacks …
CVE-2026-45721 2026-05-26 Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent …
CVE-2026-40564 2026-05-26 Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator. The FlinkSessionJob jarURI is currently not validated so tha…
CVE-2026-8704 2026-05-15 Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified.
CVE-2026-33380 2026-05-13 A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vuln…
CVE-2026-42063 2026-05-13 A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files.  Note: Software versions which have reached …
CVE-2026-40631 2026-05-13 An authenticated attacker with the Resource Administrator or Administrator role can modify configuration objects through iControl SOAP resulting in privilege escalation.  Note: Software versions which…
CVE-2026-35440 2026-05-12 Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally.
CVE-2026-32185 2026-05-12 Files or directories accessible to external parties in Microsoft Teams allows an unauthorized attacker to perform spoofing locally.
CVE-2026-31216 2026-05-12 The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/{object_name:path} endpoint lacks authenticat…
CVE-2026-31215 2026-05-12 The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface. The DELETE /{index_name}/documents endpoint lacks proper auth…

曾用名

  • Errant Files or Directories Accessible (2008-04-11)

内容提交

名称
CWE Community
日期
2006-07-19
版本
Draft 3
评论
Submitted by members of the CWE community to extend early CWE versions

内容修订

日期 名称 版本 重要性 评论
2008-07-01 Eric Dalci 1.0 updated Time_of_Introduction
2008-08-15 1.0 Suggested OWASP Top Ten 2004 mapping
2008-09-08 CWE Content Team 1.0 updated Relationships, Taxonomy_Mappings
2008-11-24 CWE Content Team 1.1 updated Relationships, Taxonomy_Mappings
2009-07-27 CWE Content Team 1.5 updated Relationships
2010-09-09 1.10 Suggested OWASP Top Ten mapping
2010-09-27 CWE Content Team 1.10 updated Relationships
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2011-09-13 CWE Content Team 2.1 updated Relationships, Taxonomy_Mappings
2012-05-11 CWE Content Team 2.2 updated Relationships
2014-07-30 CWE Content Team 2.8 updated Relationships
2015-12-07 CWE Content Team 2.9 updated Relationships
2017-01-19 CWE Content Team 2.10 updated Relationships
2017-11-08 CWE Content Team 3.0 updated Affected_Resources, Modes_of_Introduction, Relationships, Taxonomy_Mappings
2019-01-03 CWE Content Team 3.2 updated Related_Attack_Patterns
2019-06-20 CWE Content Team 3.3 updated Related_Attack_Patterns
2020-02-24 CWE Content Team 4.0 updated Description, Relationships
2020-08-20 CWE Content Team 4.2 updated Related_Attack_Patterns
2021-10-28 CWE Content Team 4.6 updated Relationships
2023-01-31 CWE Content Team 4.10 updated Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, References
2023-04-27 CWE Content Team 4.11 updated Applicable_Platforms, Demonstrative_Examples, Description, Detection_Factors, References, Relationships, Time_of_Introduction
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2023-10-26 CWE Content Team 4.13 updated Observed_Examples
2025-12-11 CWE Content Team 4.19 updated Relationships, Weakness_Ordinalities
cvelogic Threat Intelligence