Web.config File Information Disclosure

medium Web App Scanning Plugin ID 98594

Language:

Synopsis

Web.config File Information Disclosure

Description

An information disclosure vulnerability exists in the remote web server due to the disclosure of the web.config file. An unauthenticated, remote attacker can exploit this, via a simple GET request, to disclose potentially sensitive configuration information.

Solution

Ensure proper restrictions are in place, or remove the file if the file is not required.

Plugin Details

Severity: Medium

ID: 98594

Type: remote

Family: Data Exposure

Published: 5/14/2019

Updated: 5/16/2022

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 425

OWASP: 2010-A4, 2013-A4, 2017-A5, 2021-A1

WASC: Predictable Resource Location

CAPEC: 127, 87

DISA STIG: APSC-DV-002560

HIPAA: 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3

OWASP API: 2019-API3, 2019-API7, 2023-API3, 2023-API8

PCI-DSS: 3.2-6.5.8