An information disclosure vulnerability in Census CSWeb allows unauthenticated remote attackers to obtain sensitive configuration secrets by accessing exposed directories.

In certain deployments, the app/config directory is reachable via standard HTTP requests. An unauthenticated remote attacker can directly request configuration files, which often contain database credentials, API keys, and other cryptographic secrets.

The exposure of configuration files is a critical security risk that typically leads to full system compromise. Attackers can use leaked database credentials to steal or modify census data, or use leaked secrets to impersonate legitimate users. The CVSS score of 9.1 reflects the severe impact on data confidentiality and the high likelihood of further exploitation following secret discovery.

Immediate Action: Update Census CSWeb to version 8.1.0 alpha or later. If an update is not possible, immediately restrict HTTP access to the app/config directory via web server configuration.

Proactive Monitoring: Check web server access logs for any HTTP GET requests targeting the app/config directory or common configuration file names (e.g., .env, config.php).

Compensating Controls: Use .htaccess (Apache) or location blocks (Nginx) to explicitly deny all public access to the app and config directories.

Public Exploit Available: false

Immediate remediation is required to prevent the leakage of environment secrets. Administrators should apply the 8.1.0 alpha update or manually secure the directory structure. Once secured, it is highly recommended to rotate all secrets found within those configuration files, as they should be considered compromised.