CWE-23
AllowedRelative Path Traversal
Abstraction: Base · Status: Draft
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
778 vulnerabilities reference this CWE, most recent first.
GHSA-4PGP-HX9Q-53RP
Vulnerability from github – Published: 2024-04-03 18:30 – Updated: 2024-04-03 18:30A vulnerability in Cisco Emergency Responder could allow an authenticated, remote attacker to conduct a directory traversal attack, which could allow the attacker to perform arbitrary actions on an affected device. This vulnerability is due to insufficient protections for the web UI of an affected system. An attacker could exploit this vulnerability by sending crafted requests to the web UI. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user, such as accessing password or log files or uploading and deleting existing files from the system.
{
"affected": [],
"aliases": [
"CVE-2024-20352"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-03T17:15:49Z",
"severity": "MODERATE"
},
"details": "A vulnerability in Cisco Emergency Responder could allow an authenticated, remote attacker to conduct a directory traversal attack, which could allow the attacker to perform arbitrary actions on an affected device. This vulnerability is due to insufficient protections for the web UI of an affected system. An attacker could exploit this vulnerability by sending crafted requests to the web UI. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user, such as accessing password or log files or uploading and deleting existing files from the system.",
"id": "GHSA-4pgp-hx9q-53rp",
"modified": "2024-04-03T18:30:41Z",
"published": "2024-04-03T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20352"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cem-csrf-suCmNjFr"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4PH2-F6PF-79WV
Vulnerability from github – Published: 2026-04-06 23:08 – Updated: 2026-04-07 22:09The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g., GitHub), the application uses Python's zipfile.extractall() without verifying if the files within the archive resolve outside of the intended extraction directory.
Details
Location: src/praisonai/praisonai/cli/features/templates.py (Line 852)
Vulnerable Code snippet:
zip_ref.extractall(tmpdir)
During installation, the CLI downloads a ZIP archive and extracts it directly into a temporary directory using zip_ref.extractall(tmpdir). A specially crafted ZIP archive can contain file entries with relative paths (such as ../../../../tmp/evil.sh). If extracting this archive in older Python versions or environments where extraction rules aren't strict, extractall will write these files outside the target directory, allowing an attacker to overwrite arbitrary files on the victim's filesystem.
PoC
- Generate a malicious zip payload:
import zipfile
with zipfile.ZipFile('malicious_template.zip', 'w') as z:
# Adding a file that traverses directories
z.writestr('../../../../../../../tmp/zip_slip_pwned.txt', 'pwned by zip slip')
- Trick a user into installing the malicious template:
praisonai templates install github:attacker/malicious_template
- Observe the
zip_slip_pwned.txtfile created in/tmp/on the victim's machine.
Impact
This is an Arbitrary File Write vulnerability affecting any user who installs community templates. It can be leveraged to overwrite system files, user dotfiles, or application code, ultimately leading to system corruption or full Remote Code Execution (RCE).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.5.112"
},
"package": {
"ecosystem": "PyPI",
"name": "PraisonAI"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.113"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-39307"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-06T23:08:55Z",
"nvd_published_at": "2026-04-07T17:16:36Z",
"severity": "HIGH"
},
"details": "The PraisonAI templates installation feature is vulnerable to a \"Zip Slip\" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g., GitHub), the application uses Python\u0027s `zipfile.extractall()` without verifying if the files within the archive resolve outside of the intended extraction directory. \n\n### Details\nLocation: `src/praisonai/praisonai/cli/features/templates.py` (Line 852)\n\nVulnerable Code snippet:\n```python\nzip_ref.extractall(tmpdir)\n```\n\nDuring installation, the CLI downloads a ZIP archive and extracts it directly into a temporary directory using `zip_ref.extractall(tmpdir)`. A specially crafted ZIP archive can contain file entries with relative paths (such as `../../../../tmp/evil.sh`). If extracting this archive in older Python versions or environments where extraction rules aren\u0027t strict, `extractall` will write these files outside the target directory, allowing an attacker to overwrite arbitrary files on the victim\u0027s filesystem.\n\n### PoC\n1. Generate a malicious zip payload:\n```python\nimport zipfile\n\nwith zipfile.ZipFile(\u0027malicious_template.zip\u0027, \u0027w\u0027) as z:\n # Adding a file that traverses directories\n z.writestr(\u0027../../../../../../../tmp/zip_slip_pwned.txt\u0027, \u0027pwned by zip slip\u0027)\n```\n2. Trick a user into installing the malicious template:\n```bash\npraisonai templates install github:attacker/malicious_template\n```\n3. Observe the `zip_slip_pwned.txt` file created in `/tmp/` on the victim\u0027s machine.\n\n### Impact\nThis is an Arbitrary File Write vulnerability affecting any user who installs community templates. It can be leveraged to overwrite system files, user dotfiles, or application code, ultimately leading to system corruption or full Remote Code Execution (RCE).",
"id": "GHSA-4ph2-f6pf-79wv",
"modified": "2026-04-07T22:09:54Z",
"published": "2026-04-06T23:08:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4ph2-f6pf-79wv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39307"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
},
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.113"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI Has Arbitrary File Write (Zip Slip) in Templates Extraction"
}
GHSA-4QHP-652W-C22X
Vulnerability from github – Published: 2024-01-18 16:12 – Updated: 2024-01-19 20:32Impact
Installations of jupyter-lsp running in environments without configured file system access control (on the operating system level), and with jupyter-server instances exposed to non-trusted network are vulnerable to unauthorised access and modification of file system beyond the jupyter root directory.
Patches
Version 2.2.2 has been patched.
Workarounds
Users of jupyterlab who do not use jupyterlab-lsp can uninstall jupyter-lsp.
Credits
We would like to credit Bary Levy, researcher of pillar.security research team, for the discovery and responsible disclosure of this vulnerability.
Edit: based on advice from pillar.security the Confidentiality/Integrity/Availability were increased to High to reflect potential for critical impact on publicly hosted jupyter-server instances lacking isolation of user privileges on operating system level (for best practices please consult https://jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html#protect-users-from-each-other) and CWE-94 was added due to a potential vulnerability chaining in specific environments.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.2.1"
},
"package": {
"ecosystem": "PyPI",
"name": "jupyter-lsp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-22415"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-18T16:12:28Z",
"nvd_published_at": "2024-01-18T21:15:09Z",
"severity": "HIGH"
},
"details": "### Impact\nInstallations of jupyter-lsp running in environments without configured file system access control (on the operating system level), and with jupyter-server instances exposed to non-trusted network are vulnerable to unauthorised access and modification of file system beyond the jupyter root directory.\n\n### Patches\nVersion 2.2.2 has been patched.\n\n### Workarounds\nUsers of jupyterlab who do not use jupyterlab-lsp can uninstall jupyter-lsp.\n\n### Credits\nWe would like to credit Bary Levy, researcher of pillar.security research team, for the discovery and responsible disclosure of this vulnerability.\n\nEdit: based on advice from pillar.security the Confidentiality/Integrity/Availability were increased to High to reflect potential for critical impact on publicly hosted jupyter-server instances lacking isolation of user privileges on operating system level (for best practices please consult https://jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html#protect-users-from-each-other) and CWE-94 was added due to a potential vulnerability chaining in specific environments.",
"id": "GHSA-4qhp-652w-c22x",
"modified": "2024-01-19T20:32:07Z",
"published": "2024-01-18T16:12:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jupyter-lsp/jupyterlab-lsp/security/advisories/GHSA-4qhp-652w-c22x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22415"
},
{
"type": "WEB",
"url": "https://github.com/jupyter-lsp/jupyterlab-lsp/commit/4ad12f204ad0b85580fc32137c647baaff044e95"
},
{
"type": "PACKAGE",
"url": "https://github.com/jupyter-lsp/jupyterlab-lsp"
},
{
"type": "WEB",
"url": "https://github.com/jupyter-lsp/jupyterlab-lsp/releases/tag/v5.0.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Unsecured endpoints in the jupyter-lsp server extension"
}
GHSA-4RFH-V443-HVGH
Vulnerability from github – Published: 2023-11-14 18:30 – Updated: 2023-11-14 18:30A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 and 8.4.2 through 8.4.0 and 8.3.2 through 8.3.0 and 8.2.2 allows attacker to read arbitrary files via crafted http requests.
{
"affected": [],
"aliases": [
"CVE-2023-42783"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-14T18:15:53Z",
"severity": "HIGH"
},
"details": "A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 and 8.4.2 through 8.4.0 and 8.3.2 through 8.3.0 and 8.2.2 allows attacker to read arbitrary files via crafted http requests.",
"id": "GHSA-4rfh-v443-hvgh",
"modified": "2023-11-14T18:30:29Z",
"published": "2023-11-14T18:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42783"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-23-143"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4W42-HX2P-M2JW
Vulnerability from github – Published: 2024-02-06 12:30 – Updated: 2024-08-22 21:31In JetBrains TeamCity before 2023.11.2 limited directory traversal was possible in the Kotlin DSL documentation
{
"affected": [],
"aliases": [
"CVE-2024-24938"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-06T10:15:10Z",
"severity": "MODERATE"
},
"details": "In JetBrains TeamCity before 2023.11.2 limited directory traversal was possible in the Kotlin DSL documentation",
"id": "GHSA-4w42-hx2p-m2jw",
"modified": "2024-08-22T21:31:27Z",
"published": "2024-02-06T12:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24938"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4W5P-QWH4-XC23
Vulnerability from github – Published: 2025-02-23 18:30 – Updated: 2025-02-23 18:30A vulnerability has been found in PHPGurukul Online Nurse Hiring System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/manage-nurse.php. The manipulation of the argument profilepic leads to path traversal: '../filedir'. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions contradicting vulnerability classes.
{
"affected": [],
"aliases": [
"CVE-2025-1588"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-23T16:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in PHPGurukul Online Nurse Hiring System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/manage-nurse.php. The manipulation of the argument profilepic leads to path traversal: \u0027../filedir\u0027. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions contradicting vulnerability classes.",
"id": "GHSA-4w5p-qwh4-xc23",
"modified": "2025-02-23T18:30:24Z",
"published": "2025-02-23T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1588"
},
{
"type": "WEB",
"url": "https://github.com/wqywfvc/CVE/issues/16"
},
{
"type": "WEB",
"url": "https://phpgurukul.com"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.296572"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.296572"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.505441"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-53QH-2V26-Q8GX
Vulnerability from github – Published: 2025-04-30 12:31 – Updated: 2025-04-30 12:31A vulnerability in the “Certificates and Keys” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary certificates in arbitrary file system paths via a crafted HTTP request.
{
"affected": [],
"aliases": [
"CVE-2025-24350"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-30T12:15:21Z",
"severity": "HIGH"
},
"details": "A vulnerability in the \u201cCertificates and Keys\u201d functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary certificates in arbitrary file system paths via a crafted HTTP request.",
"id": "GHSA-53qh-2v26-q8gx",
"modified": "2025-04-30T12:31:25Z",
"published": "2025-04-30T12:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24350"
},
{
"type": "WEB",
"url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-53RW-GCGW-2723
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2025-04-30 15:30A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that could allow directory listing in any folder accessible to the account assigned to the website’s application pool.
{
"affected": [],
"aliases": [
"CVE-2022-42892"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-17T17:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in syngo Dynamics (All versions \u003c VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that could allow directory listing in any folder accessible to the account assigned to the website\u2019s application pool.",
"id": "GHSA-53rw-gcgw-2723",
"modified": "2025-04-30T15:30:38Z",
"published": "2023-07-06T19:24:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42892"
},
{
"type": "WEB",
"url": "https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/shsa-741697"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-544V-V93W-X43G
Vulnerability from github – Published: 2026-04-20 09:30 – Updated: 2026-04-20 09:30ThreatSonar Anti-Ransomware developed by TeamT5 has an Arbitrary File Deletion vulnerability. Authenticated remote attackers with web access can exploit Path Traversal to delete arbitrary files on the system.
{
"affected": [],
"aliases": [
"CVE-2026-5966"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-20T08:16:11Z",
"severity": "HIGH"
},
"details": "ThreatSonar Anti-Ransomware developed by TeamT5 has an Arbitrary File Deletion vulnerability. Authenticated remote attackers with web access can exploit Path Traversal to delete arbitrary files on the system.",
"id": "GHSA-544v-v93w-x43g",
"modified": "2026-04-20T09:30:45Z",
"published": "2026-04-20T09:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5966"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10832-05f3a-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10831-a734d-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5458-7HH9-V7P4
Vulnerability from github – Published: 2026-03-25 21:30 – Updated: 2026-03-27 19:49pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.pf4j:pf4j"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.14.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-70952"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T19:49:00Z",
"nvd_published_at": "2026-03-25T19:16:28Z",
"severity": "HIGH"
},
"details": "pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation.",
"id": "GHSA-5458-7hh9-v7p4",
"modified": "2026-03-27T19:49:01Z",
"published": "2026-03-25T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70952"
},
{
"type": "WEB",
"url": "https://github.com/pf4j/pf4j/issues/618"
},
{
"type": "WEB",
"url": "https://github.com/pf4j/pf4j/issues/623"
},
{
"type": "WEB",
"url": "https://github.com/pf4j/pf4j/commit/20c2f80089d1ea779e22c2de5f109a0bce4e1b14"
},
{
"type": "WEB",
"url": "https://gist.github.com/weaver4VD/410f23adb24ef5f5077f021f4393e705"
},
{
"type": "PACKAGE",
"url": "https://github.com/pf4j/pf4j"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "pf4j is vulnerable to Path Traversal or Zip Slip attack through improper handling of zip entry names "
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20.1
Strategy: Input Validation
- Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
- Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
- realpath() in C
- getCanonicalPath() in Java
- GetFullPath() in ASP.NET
- realpath() or abs_path() in Perl
- realpath() in PHP
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-139: Relative Path Traversal
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.