{"@ID": "50", "@Name": "Path Equivalence: '//multiple/leading/slash'", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "41", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "161", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Resultant"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Implementation"}}, "Common_Consequences": {"Consequence": {"Scope": ["Confidentiality", "Integrity"], "Impact": ["Read Files or Directories", "Modify Files or Directories"]}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2002-1483", "Description": "Read files with full pathname using multiple internal slash.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1483"}, {"Reference": "CVE-1999-1456", "Description": "Server allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename.", "Link": "https://www.cve.org/CVERecord?id=CVE-1999-1456"}, {"Reference": "CVE-2004-0578", "Description": "Server allows remote attackers to read arbitrary files via leading slash (//) characters in a URL request.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-0578"}, {"Reference": "CVE-2002-0275", "Description": "Server allows remote attackers to bypass authentication and read restricted files via an extra / (slash) in the requested URL.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-0275"}, {"Reference": "CVE-2004-1032", "Description": "Product allows local users to delete arbitrary files or create arbitrary empty files via a target filename with a large number of leading slash (/) characters.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-1032"}, {"Reference": "CVE-2002-1238", "Description": "Server allows remote attackers to bypass access restrictions for files via an HTTP request with a sequence of multiple / (slash) characters such as http://www.example.com///file/.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1238"}, {"Reference": "CVE-2004-1878", "Description": "Product allows remote attackers to bypass authentication, obtain sensitive information, or gain access via a direct request to admin/user.pl preceded by // (double leading slash).", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-1878"}, {"Reference": "CVE-2005-1365", "Description": "Server allows remote attackers to execute arbitrary commands via a URL with multiple leading \"/\" (slash) characters and \"..\" sequences.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-1365"}, {"Reference": "CVE-2000-1050", "Description": "Access directory using multiple leading slash.", "Link": "https://www.cve.org/CVERecord?id=CVE-2000-1050"}, {"Reference": "CVE-2001-1072", "Description": "Bypass access restrictions via multiple leading slash, which causes a regular expression to fail.", "Link": "https://www.cve.org/CVERecord?id=CVE-2001-1072"}, {"Reference": "CVE-2004-0235", "Description": "Archive extracts to arbitrary files using multiple leading slash in filenames in the archive.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-0235"}]}, "Functional_Areas": {"Functional_Area": "File Processing"}, "Affected_Resources": {"Affected_Resource": "File or Directory"}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "PLOVER", "Entry_Name": "//multiple/leading/slash ('multiple leading slash')"}, {"@Taxonomy_Name": "Software Fault Patterns", "Entry_ID": "SFP16", "Entry_Name": "Path Traversal"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Observed_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-09-09", "Modification_Version": "4.18", "Modification_ReleaseDate": "2025-09-09", "Modification_Comment": "updated Affected_Resources, Functional_Areas"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Weakness_Ordinalities"}], "Previous_Entry_Name": {"@Date": "2008-04-11", "#text": "Path Issue - Multiple Leading Slash - //multiple/leading/slash"}}}
