Skip to main content

Metadata with sensitive information

Description

The system exposes sensitive information through public metadata files.

Impact

  • Obtain sensitive information.
  • Obtain information that can be used to compromise other systems.

Recommendation

Delete files metadata before sharing or publishing them.

Threat

Attacker with access to the repository from the Internet.

Expected Remediation Time

⌚ 15 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: U
  • Remediation level: X
  • Report confidence: R

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:X/RC:R
  • Score:
    • Base: 4.3
    • Temporal: 3.8
  • Severity:
    • Base: Medium
    • Temporal: Low

Code Examples

Compliant code

Files should have their metadata cleared before being made public

Non compliant code

Metadata of a file stores sensitive information, like location or credentials

{
"Name" : "OrganizationName",
"User" : "AdminUser",
"Permissions" : "*",
"Path" : "/admin/sensitiveFiles/file",
"Location" : "mylocation",
}

Requirements