045 – Remove metadata when sharing files

Summary

The organization must remove file metadata before sharing it or making it public.

Description

Metadata includes different data such as the user's name, document properties, editing history, and comments. This metadata can inadvertently reveal sensitive details about the document and its editors.

Supported In

Advanced: True

References

• CWE-1230. Exposure of sensitive information through metadata
• GDPR-25_1. Data protection by design and by default
• GDPR-R51. Protecting sensitive personal data
• OWASP10-A2. Cryptographic failures
• OWASP10-A3. Injection
• CMMC-AC_L1-3_1_22. Control public information
• HITRUST-09_z. Publicly available information
• FEDRAMP-AC-22. Publicly accessible content
• LGPD-7_X-3. Requirements for the Processing of Personal Data
• PTES-3_4_1_4_1. Corporate - Electronic (document metadata)
• PTES-3_4_1_5_7. Corporate - Infrastructure assets (application usage)
• PTES-5_3_1. Vulnerability analysis - Metadata
• SIGLITE-SL_79. Is a web site supported, hosted or maintained that has access to scoped systems and data?

Weaknesses

• 119 – Metadata with sensitive information

Last updated

2024/01/18