- What is CWE-548?
- The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.
- What CVEs are caused by CWE-548?
- 55 recorded CVEs are attributed to CWE-548, including CVE-2021-47718, CVE-2020-7858, CVE-2020-8161.
- Is CWE-548 part of the OWASP Top 10?
- CWE-548 maps to OWASP Top Ten 2004: Insecure Configuration Management (A10) in the OWASP security taxonomy.
- How do you prevent CWE-548?
- Recommendations include restricting access to important directories or files by adopting a need to know requirement for both the document and server root, and turning off features such as Automatic Directory Listings that could expose private files and provide information that could be utilized by an attacker when formulating or conducting an attack.
- How is CWE-548 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-548?
- Exploiting CWE-548 can lead to: Read Files or Directories.
- Is CWE-548 actively exploited?
- 55 recorded CVEs are caused by CWE-548; none are currently in CISA's KEV catalog of actively exploited flaws.