CWE-219: Storage of File with Sensitive Data Under Web Root
The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.
Last updated
Overview
Besides public-facing web pages and code, products may store sensitive data, code that is not directly invoked, or other files under the web document root of the web server. If the server is not configured or otherwise used to prevent direct access to those files, then attackers may obtain this sensitive data.
Real-world CVEs
6 recorded CVEs are caused by CWE-219 (Storage of File with Sensitive Data Under Web Root). The highest-severity and most recent are shown first.
- CVE-2024-39776High · CVSS 8.7 · EPSS 31th2024-08-22
- CVE-2024-56159High · CVSS 7.8 · EPSS 71th2024-12-19
- CVE-2022-21236High · CVSS 7.5 · EPSS 76th2022-01-28
- CVE-2022-36306Medium · CVSS 6.5 · EPSS 53th2022-08-16
- CVE-2023-39467
Triangle MicroWorks SCADA Data Gateway certificate Information Disclosure Vulnerability
Medium · CVSS 5.3 · EPSS 42th2024-05-03 - CVE-2002-2024Medium · CVSS 5.3 · EPSS 78th2005-07-14
Common consequences
What can happen when CWE-219 is exploited.
Read Application Data
Affects: Confidentiality
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-219, grouped by where in the lifecycle they apply.
Avoid storing information under the web root directory.
Access control permissions should be set to prevent reading/writing of sensitive files inside/outside of the web directory.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2005-1835 — Data file under web root.
- CVE-2005-2217 — Data file under web root.
- CVE-2002-1449 — Username/password in data file under web root.
- CVE-2002-0943 — Database file under web root.
- CVE-2005-1645 — database file under web root.
Terminology & mappings
Mapped taxonomies
- PLOVER: Sensitive Data Under Web Root
- OWASP Top Ten 2004: Insecure Configuration Management (A10) — CWE More Specific fit
Frequently asked questions
Common questions about CWE-219.
- What is CWE-219?
- The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.
- What CVEs are caused by CWE-219?
- 6 recorded CVEs are attributed to CWE-219, including CVE-2024-39776, CVE-2024-56159, CVE-2022-21236.
- Is CWE-219 part of the OWASP Top 10?
- CWE-219 maps to OWASP Top Ten 2004: Insecure Configuration Management (A10) in the OWASP security taxonomy.
- How do you prevent CWE-219?
- Avoid storing information under the web root directory.
- What are the consequences of CWE-219?
- Exploiting CWE-219 can lead to: Read Application Data.
- Is CWE-219 actively exploited?
- 6 recorded CVEs are caused by CWE-219; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-219) (opens in a new tab)
- CWE-219 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-219
Get alerted the moment a new CWE-219 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.