CWE-23
AllowedRelative Path Traversal
Abstraction: Base · Status: Draft
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
778 vulnerabilities reference this CWE, most recent first.
GHSA-2J7G-CPCM-93QX
Vulnerability from github – Published: 2024-02-06 12:30 – Updated: 2024-02-06 12:30In JetBrains TeamCity before 2023.11.3 path traversal allowed reading data within JAR archives
{
"affected": [],
"aliases": [
"CVE-2024-24942"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-06T10:15:11Z",
"severity": "MODERATE"
},
"details": "In JetBrains TeamCity before 2023.11.3 path traversal allowed reading data within JAR archives",
"id": "GHSA-2j7g-cpcm-93qx",
"modified": "2024-02-06T12:30:31Z",
"published": "2024-02-06T12:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24942"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2JX4-MMR5-WW75
Vulnerability from github – Published: 2025-07-14 06:30 – Updated: 2025-07-14 06:30BatchSignCS, a background Windows application developed by WellChoose, has an Arbitrary File Write vulnerability. If a user visits a malicious website while the application is running, remote attackers can write arbitrary files to any path and potentially lead to arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2025-7619"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-14T04:15:46Z",
"severity": "HIGH"
},
"details": "BatchSignCS, a background Windows application developed by WellChoose, has an Arbitrary File Write vulnerability. If a user visits a malicious website while the application is running, remote attackers can write arbitrary files to any path and potentially lead to arbitrary code execution.",
"id": "GHSA-2jx4-mmr5-ww75",
"modified": "2025-07-14T06:30:30Z",
"published": "2025-07-14T06:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7619"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10240-00f86-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10239-770ab-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2M4Q-2C6R-HMC3
Vulnerability from github – Published: 2025-03-31 00:30 – Updated: 2025-03-31 16:42A vulnerability classified as problematic was found in opensolon up to 3.1.0. This vulnerability affects the function render_mav of the file /aa of the component org.noear.solon.core.handle.RenderManager. The manipulation of the argument template with the input ../org/example/HelloApp.class leads to path traversal: '../filedir'. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.noear:solon-view"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-2961"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-31T16:42:28Z",
"nvd_published_at": "2025-03-30T22:15:15Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic was found in opensolon up to 3.1.0. This vulnerability affects the function render_mav of the file /aa of the component org.noear.solon.core.handle.RenderManager. The manipulation of the argument template with the input ../org/example/HelloApp.class leads to path traversal: \u0027../filedir\u0027. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-2m4q-2c6r-hmc3",
"modified": "2025-03-31T16:42:29Z",
"published": "2025-03-31T00:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2961"
},
{
"type": "WEB",
"url": "https://github.com/Q16G/cve_detail/blob/main/solon/templateRCE.md"
},
{
"type": "PACKAGE",
"url": "https://github.com/opensolon/solon"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.302014"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.302014"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.522380"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Solon Vulnerable to Path Traversal"
}
GHSA-2PP3-2HR3-936M
Vulnerability from github – Published: 2024-12-18 15:33 – Updated: 2024-12-18 15:33A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.
{
"affected": [],
"aliases": [
"CVE-2023-34990"
],
"database_specific": {
"cwe_ids": [
"CWE-23",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-18T13:15:05Z",
"severity": "CRITICAL"
},
"details": "A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.",
"id": "GHSA-2pp3-2hr3-936m",
"modified": "2024-12-18T15:33:00Z",
"published": "2024-12-18T15:33:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34990"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-23-144"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2PRH-86CW-FM96
Vulnerability from github – Published: 2026-07-08 03:30 – Updated: 2026-07-08 03:30sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.
{
"affected": [],
"aliases": [
"CVE-2026-59995"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-08T01:16:28Z",
"severity": "MODERATE"
},
"details": "sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when \"sftp server:/path .\" is used with an attacker-controlled server.",
"id": "GHSA-2prh-86cw-fm96",
"modified": "2026-07-08T03:30:27Z",
"published": "2026-07-08T03:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59995"
},
{
"type": "WEB",
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=178333966933090\u0026w=2"
},
{
"type": "WEB",
"url": "https://www.openssh.org/releasenotes.html#10.4p1"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2026/07/06/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-2R3C-M6V7-9354
Vulnerability from github – Published: 2023-09-21 17:07 – Updated: 2026-06-10 13:42Background
Sudo-rs allows users to not have to enter authentication at every sudo attempt, but instead only requiring authentication every once in a while in every terminal or process group. Only once a configurable timeout has passed will the user have to re-authenticate themselves. Supporting this functionality is a set of session files (timestamps) for each user, stored in /var/run/sudo-rs/ts. These files are named according to the username from which the sudo attempt is made (the origin user).
Impact
An issue was discovered where usernames containing the . and / characters could result in the corruption of specific files on the filesystem. On some operating systems usernames are not limited as to the characters they can contain, so a username appearing to be a relative path can be constructed. For example we could add a user to the system containing the username ../../../../bin/cp. When logged in as a user with that name, that user could run sudo -K to clear their session record file. The session code then constructs the path to the session file by concatenating the username to the session file storage directory, resulting in a resolved path of /bin/cp. The code then clears that file, resulting in the cp binary effectively being removed from the system.
An attacker needs to be able to login as a user with a constructed username. Given that such a username is unlikely to exist on an existing system, they will also need to be able to create the users with the constructed usernames.
Affected systems
Debian bookworm (and earlier) and Ubuntu 24.04 (and earlier) allow creating of these usernames using useradd without warning. On most other systems and later versions an attempt to create such users will result in an error.
Patches
The bug is fixed in version 0.2.1 of sudo-rs. Sudo-rs now uses the uid for the user instead of their username for determining the filename. Note that an upgrade to this version will result in existing session files being ignored and users will be forced to re-authenticate. It also fully eliminates any possibility of path traversal, given that uids are always integer values.
Workarounds
The sudo -K and sudo -k commands can run, even if a user has no sudo access. Make sure that your system does not contain any users with a specially crafted username. While this is the case and while untrusted users do not have the ability to create arbitrary users on your system you should not be able to exploit this issue.
References
This issue was identified by Andrea Jegher from Radically Open Security during an audit of the sudo-rs code. The same problem existed in original sudo and was fixed in version 1.9.15.
Notes
This advisory was updated in 2026 to better reflect the fact that "path-like" user names are normally forbidden from creation, and the CVSS score downgraded accordingly.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.2.0"
},
"package": {
"ecosystem": "crates.io",
"name": "sudo-rs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-42456"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-21T17:07:15Z",
"nvd_published_at": "2023-09-21T16:15:09Z",
"severity": "LOW"
},
"details": "### Background\n\nSudo-rs allows users to not have to enter authentication at every sudo attempt, but instead only requiring authentication every once in a while in every terminal or process group. Only once a configurable timeout has passed will the user have to re-authenticate themselves. Supporting this functionality is a set of session files (timestamps) for each user, stored in `/var/run/sudo-rs/ts`. These files are named according to the username from which the sudo attempt is made (the origin user).\n\n### Impact\n\nAn issue was discovered where usernames containing the `.` and `/` characters could result in the corruption of specific files on the filesystem. On some operating systems usernames are not limited as to the characters they can contain, so a username appearing to be a relative path can be constructed. For example we could add a user to the system containing the username `../../../../bin/cp`. When logged in as a user with that name, that user could run `sudo -K` to clear their session record file. The session code then constructs the path to the session file by concatenating the username to the session file storage directory, resulting in a resolved path of `/bin/cp`. The code then clears that file, resulting in the `cp` binary effectively being removed from the system.\n\nAn attacker needs to be able to login as a user with a constructed username. Given that such a username is unlikely to exist on an existing system, they will also need to be able to create the users with the constructed usernames.\n\n### Affected systems\nDebian bookworm (and earlier) and Ubuntu 24.04 (and earlier) allow creating of these usernames using `useradd` without warning. On most other systems and later versions an attempt to create such users will result in an error.\n\n### Patches\nThe bug is fixed in version 0.2.1 of sudo-rs. Sudo-rs now uses the uid for the user instead of their username for determining the filename. Note that an upgrade to this version will result in existing session files being ignored and users will be forced to re-authenticate. It also fully eliminates any possibility of path traversal, given that uids are always integer values.\n\n### Workarounds\nThe `sudo -K` and `sudo -k` commands can run, even if a user has no sudo access. Make sure that your system does not contain any users with a specially crafted username. While this is the case and while untrusted users do not have the ability to create arbitrary users on your system you should not be able to exploit this issue.\n\n### References\nThis issue was identified by Andrea Jegher from Radically Open Security during an audit of the sudo-rs code. The same problem existed in original sudo and was fixed in version 1.9.15.\n\n### Notes\nThis advisory was updated in 2026 to better reflect the fact that \"path-like\" user names are normally forbidden from creation, and the CVSS score downgraded accordingly.",
"id": "GHSA-2r3c-m6v7-9354",
"modified": "2026-06-10T13:42:26Z",
"published": "2023-09-21T17:07:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/memorysafety/sudo-rs/security/advisories/GHSA-2r3c-m6v7-9354"
},
{
"type": "WEB",
"url": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-2r3c-m6v7-9354"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42456"
},
{
"type": "WEB",
"url": "https://github.com/memorysafety/sudo-rs/commit/bfdbda22968e3de43fa8246cab1681cfd5d5493d"
},
{
"type": "WEB",
"url": "https://ferrous-systems.com/blog/sudo-rs-audit"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-2r3c-m6v7-9354"
},
{
"type": "PACKAGE",
"url": "https://github.com/memorysafety/sudo-rs"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2023-0069.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/11/02/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "sudo-rs Session File Relative Path Traversal vulnerability"
}
GHSA-32XF-JWMV-9HF3
Vulnerability from github – Published: 2020-06-05 16:13 – Updated: 2025-10-22 17:52Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-config-server"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-config-server"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5410"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-04T19:07:50Z",
"nvd_published_at": "2020-06-02T17:15:00Z",
"severity": "HIGH"
},
"details": "Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.",
"id": "GHSA-32xf-jwmv-9hf3",
"modified": "2025-10-22T17:52:48Z",
"published": "2020-06-05T16:13:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5410"
},
{
"type": "PACKAGE",
"url": "https://github.com/spring-cloud/spring-cloud-config"
},
{
"type": "WEB",
"url": "https://tanzu.vmware.com/security/cve-2020-5410"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5410"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H",
"type": "CVSS_V3"
}
],
"summary": "Directory traversal attack in Spring Cloud Config"
}
GHSA-332G-RF22-2VCG
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32A path traversal vulnerability exists in the latest version of stangirard/quivr. This vulnerability allows an attacker to upload files to arbitrary paths in an S3 bucket by manipulating the file path in the upload request.
{
"affected": [],
"aliases": [
"CVE-2024-6583"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:33Z",
"severity": "MODERATE"
},
"details": "A path traversal vulnerability exists in the latest version of stangirard/quivr. This vulnerability allows an attacker to upload files to arbitrary paths in an S3 bucket by manipulating the file path in the upload request.",
"id": "GHSA-332g-rf22-2vcg",
"modified": "2025-03-20T12:32:45Z",
"published": "2025-03-20T12:32:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6583"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/c310b500-ec26-4121-8d3a-8e863181346f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-339X-6C8M-XVXC
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Relative path traversal in Age of Empires II: Definitive Edition Game allows an unauthorized attacker to execute code over a network.
{
"affected": [],
"aliases": [
"CVE-2026-50663"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T17:17:01Z",
"severity": "HIGH"
},
"details": "Relative path traversal in Age of Empires II: Definitive Edition Game allows an unauthorized attacker to execute code over a network.",
"id": "GHSA-339x-6c8m-xvxc",
"modified": "2026-07-14T18:32:05Z",
"published": "2026-07-14T18:32:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50663"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50663"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-34JC-MC86-8WW9
Vulnerability from github – Published: 2024-04-03 18:30 – Updated: 2024-04-03 18:30A vulnerability in the web-based interface of Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an authenticated user of the interface.
This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading an authenticated user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.
{
"affected": [],
"aliases": [
"CVE-2024-20310"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-03T17:15:48Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based interface of Cisco Unified Communications Manager IM \u0026 Presence Service (Unified CM IM\u0026P) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an authenticated user of the interface.\n\n This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading an authenticated user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.",
"id": "GHSA-34jc-mc86-8ww9",
"modified": "2024-04-03T18:30:41Z",
"published": "2024-04-03T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20310"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-imps-xss-quWkd9yF"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20.1
Strategy: Input Validation
- Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
- Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
- realpath() in C
- getCanonicalPath() in Java
- GetFullPath() in ASP.NET
- realpath() or abs_path() in Perl
- realpath() in PHP
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-139: Relative Path Traversal
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.