Common Weakness Enumeration

CWE-23

Allowed

Relative Path Traversal

Abstraction: Base · Status: Draft

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

778 vulnerabilities reference this CWE, most recent first.

GHSA-7F7Q-JM58-6F8F

Vulnerability from github – Published: 2024-10-15 09:30 – Updated: 2024-10-15 09:30
VLAI
Details

Enterprise Cloud Database from Ragic does not properly validate a specific page parameter, allowing unauthenticated remote attackers to exploit this vulnerability to read arbitrary system files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9983"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-15T09:15:04Z",
    "severity": "HIGH"
  },
  "details": "Enterprise Cloud Database from Ragic does not properly validate a specific page parameter, allowing unauthenticated remote attackers to exploit this vulnerability to read arbitrary system files.",
  "id": "GHSA-7f7q-jm58-6f8f",
  "modified": "2024-10-15T09:30:32Z",
  "published": "2024-10-15T09:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9983"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-8149-31424-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-8148-ed790-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7JQV-FW35-GMX9

Vulnerability from github – Published: 2026-04-21 17:18 – Updated: 2026-04-21 17:18
VLAI
Summary
nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding
Details

Summary

When HTMLExporter.embed_images=True, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook can exfiltrate sensitive files from the conversion host by embedding them as base64 data URIs in the output HTML.

Patches

Upgrade to nbconvert 7.17.1

Workarounds

Do not enable HTMLExporter.embed_images (it is not enabled by default).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nbconvert"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.5.0"
            },
            {
              "fixed": "7.17.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39378"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-21T17:18:53Z",
    "nvd_published_at": "2026-04-21T01:16:06Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nWhen `HTMLExporter.embed_images=True`, nbconvert\u0027s markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook can exfiltrate sensitive files from the conversion host by embedding them as base64 data URIs in the output HTML.\n\n## Patches\n\nUpgrade to nbconvert 7.17.1\n\n## Workarounds\n\nDo not enable `HTMLExporter.embed_images` (it is not enabled by default).",
  "id": "GHSA-7jqv-fw35-gmx9",
  "modified": "2026-04-21T17:18:53Z",
  "published": "2026-04-21T17:18:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jupyter/nbconvert/security/advisories/GHSA-7jqv-fw35-gmx9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39378"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jupyter/nbconvert"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyter/nbconvert/releases/tag/v7.17.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding"
}

GHSA-7M8X-93C8-87GW

Vulnerability from github – Published: 2025-03-11 18:32 – Updated: 2025-03-11 18:32
VLAI
Details

Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26645"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-11T17:16:44Z",
    "severity": "HIGH"
  },
  "details": "Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network.",
  "id": "GHSA-7m8x-93c8-87gw",
  "modified": "2025-03-11T18:32:19Z",
  "published": "2025-03-11T18:32:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26645"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26645"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7Q5G-GPH2-4RC6

Vulnerability from github – Published: 2022-02-09 22:29 – Updated: 2021-04-07 18:02
VLAI
Summary
Upload of file to arbitrary path in Apache Flink
Details

Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.flink:flink-runtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.1"
            },
            {
              "fixed": "1.11.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-17518"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-07T18:02:24Z",
    "nvd_published_at": "2021-01-05T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master.",
  "id": "GHSA-7q5g-gph2-4rc6",
  "modified": "2021-04-07T18:02:24Z",
  "published": "2022-02-09T22:29:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17518"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/flink/commit/a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rfe159ccf496d75813f24c6079c5d33872d83f5a2e39cb32c3aef5a73@%3Cissues.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf8812a5703f4a5f1341138baf239258b250875699732cfdf9d55b21d@%3Cissues.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rec0d650fbd4ea1a5e1224a347d83a63cb44291c334ad58b8809bc23b@%3Cissues.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rd6a1a0e2d73220a65a8f6535bbcd24bb66adb0d046c4a1aa18777cf3@%3Cdev.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rd2467344f88bcaf108b8209ca92da8ec393c68174bfb8c27d1e20faa@%3Cdev.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rcb9e8af775f2a3706b69153aefde78f208871649df057c70ce2e24f9@%3Cissues.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cuser.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cdev.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra8c96bf3ccb4e491f9ce87ba35f134b4449beb2a38d1ce28fd89001f@%3Cdev.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r88200d2f0b620c6b4b1585a7171355005c89e678b01d0e71a16c57e7@%3Cissues.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r8167f30c4c60a11b8d5be3f55537beeda629be61196e693bde403b36@%3Cissues.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r7b2ee88c66fc1d0823e66475631f5c3e7f0365204ff0cb094d9f2433@%3Cissues.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r710693b0d3b229c81f485804ea1145b4edda79c9e77d66c39a0a2ff1@%3Cissues.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r705fb2211b82c9f1f8d2b1d4c823bcbca50402ba09b96608ec657efe@%3Cissues.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r5444acac3407ef6397d6aef1b5aec2db53b4b88ef221e63084c1e5f2@%3Cissues.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4a87837518804b31eb9db3048347ed2bb7b46fbaad5844f22a9fd4dc@%3Cissues.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r28f17e564950d663e68cc6fe75756012dda62ac623766bb9bc5e7034@%3Cissues.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r26fcdd4fe288323006253437ebc4dd6fdfadfb5e93465a0e4f68420d@%3Cuser-zh.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r229167538863518738e02f4c1c5a8bb34c1d45dadcc97adf6676b0c1@%3Cdev.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r0b000dc028616d33cb9aa388eb45d516b789cab0024dad94bc06588a@%3Cissues.flink.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/01/05/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Upload of file to arbitrary path in Apache Flink"
}

GHSA-7Q9J-C58F-8CW5

Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01
VLAI
Details

ArcGIS GeoEvent Server versions 10.8.1 and below has a read-only directory path traversal vulnerability that could allow an unauthenticated, remote attacker to perform directory traversal attacks and read arbitrary files on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-29101"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-05T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "ArcGIS GeoEvent Server versions 10.8.1 and below has a read-only directory path traversal vulnerability that could allow an unauthenticated, remote attacker to perform directory traversal attacks and read arbitrary files on the system.",
  "id": "GHSA-7q9j-c58f-8cw5",
  "modified": "2022-05-24T19:01:25Z",
  "published": "2022-05-24T19:01:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29101"
    },
    {
      "type": "WEB",
      "url": "https://www.esri.com/arcgis-blog/products/ext-server-geoevent/administration/arcgis-geoevent-server-security-update-2021-patch-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7QXC-43WM-V793

Vulnerability from github – Published: 2026-02-27 12:31 – Updated: 2026-03-02 18:31
VLAI
Details

Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Quantum HD allow an unauthenticated attacker to execute arbitrary code on the affected device, leading to full system compromise. This issue affects Frick Controls Quantum HD: Frick Controls Quantum HD version 10.22 and prior.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21659"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-27T10:16:22Z",
    "severity": "HIGH"
  },
  "details": "Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Quantum HD\u00a0allow an unauthenticated attacker to\nexecute arbitrary code on the affected device, leading to full system compromise. \nThis issue affects Frick Controls Quantum HD: Frick Controls Quantum HD version 10.22 and prior.",
  "id": "GHSA-7qxc-43wm-v793",
  "modified": "2026-03-02T18:31:41Z",
  "published": "2026-02-27T12:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21659"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-01"
    },
    {
      "type": "WEB",
      "url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7W47-3WG8-547C

Vulnerability from github – Published: 2024-05-22 14:05 – Updated: 2024-07-08 16:20
VLAI
Summary
gix traversal outside working tree enables arbitrary code execution
Details

Summary

During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application.

Details

Although gix-worktree-state checks for collisions with existing files, it does not itself check if a path is really in the working tree when performing a checkout, nor do the path checks in gix-fs and gix-worktree prevent this. Cloning an untrusted repository containing specially crafted tree or blob names will create new files outside the repository, or inside the repository or a submodule's .git directory. The simplest cases are:

  • A tree named .. to traverse upward. This facilitates arbitrary code execution because files can be placed in one or more locations where they are likely to be executed soon.
  • A tree named .git to enter a .git directory. This facilitates arbitrary code execution because hooks can be installed.

A number of alternatives that achieve the same effect are also possible, some of which correspond to specific vulnerabilities that have affected Git in the past:

  • A tree or blob whose name contains one or more /, to traverse upward or downward. For example, even without containing any tree named .. or .git, a repository can represent a file named ../outside or .git/hooks/pre-commit. This is distinct from the more intuitive case a repository containing trees that represent those paths.
  • In Windows, a tree or blob whose name contains one or more \, to traverse upward or downward. (Unlike /, these are valid on other systems.) See GHSA-xjx4-8694-q2fq.
  • On a case-insensitive filesystem (such as NTFS, APFS, or HFS+), a tree named as a case variant of .git.
  • On HFS+, a tree named like .git or a case variant, with characters added that HFS+ ignores in collation. See https://github.com/git/git/commit/6162a1d323d24fd8cbbb1a6145a91fb849b2568f.
  • On NTFS, a tree equivalent to .git (or a case variant) by the use of NTFS stream notation, such as .git::$INDEX_ALLOCATION. See GHSA-5wph-8frv-58vj.
  • On an NTFS volume with 8.3 aliasing enabled, a tree named as git~1 (or a case variant). See GHSA-589j-mmg9-733v.

When a checkout creates some files outside the repository directory but fails to complete, the repository directory is usually removed, but the outside files remain.

PoC

For simplicity, these examples stage a stand-in file with a valid name, modify the index, and commit. The instructions assume sed supports -i, which is the case on most systems. If using Windows, a Git Bash shell should be used.

Example: Downward traversal to install hooks

  1. Create a new repository with git init dangerous-repo-installs-hook and cd into the directory.
  2. Create the stand-in called .git@hooks@pre-commit, with the contents: sh #!/bin/sh printf 'Vulnerable!\n' date >vulnerable
  3. Stage the stand-in: git add --chmod=+x .git@hooks@pre-commit
  4. Edit the index: env LC_ALL=C sed -i.orig 's|\.git@hooks@pre-commit|.git/hooks/pre-commit|' .git/index
  5. Commit: git commit -m 'Initial commit'
  6. Optionally, push to a private remote.

Then, on another or the same machine:

  1. Clone the repository with a gix clone … command.
  2. Enter the newly created directory.
  3. Optionally run ls -l .git/hooks to observe that the pre-commit hook is already present.
  4. Make a new file and commit it with git. This causes the payload surreptitiously installed as a pre-commit hook to run, printing the message Vulnerable! and creating a file in the current directory containing the current date and time.

Note that the effect is not limited to modifying the current directory. The payload could be written to perform any action that the user who runs git commit is capable of.

Example: Upward traversal to create a file above the working tree

  1. Create a new repository with git init dangerous-repo-reaches-up, and cd into the directory.
  2. Create the stand-in: echo 'A file outside the working tree, somehow.' >..@outside
  3. Stage the stand-in: git add ..@outside
  4. Edit the index: env LC_ALL=C sed -i.orig 's|\.\.@outside|../outside|' .git/index
  5. Commit: git commit -m 'Initial commit'
  6. Optionally, push to a private remote.

Then, as above, on the same or another machine, clone the repository with a gix clone … command. Observe that a file named outside is present alongside (not inside) the cloned directory.

Impact

Any use of gix or another application that makes use of gix-worktree-state, or otherwise relies on gix-fs and gix-worktree for validation, is affected, if used to clone untrusted repositories. The above description focuses on code execution, as that leads to a complete loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well.

In use cases where no untrusted repository is ever cloned, this vulnerability has no impact. Furthermore, the impact of this vulnerability may be lower when gix is used to clone a repository for CI/CD purposes, even if untrusted, since in such uses the environment is usually isolated and arbitrary code is usually run deliberately from the repository with necessary safeguards in place.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "gix-worktree-state"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "gitoxide"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.36.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "gix-fs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "gix-worktree"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.34.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "gix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.63.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "gitoxide-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.38.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "gix-index"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.33.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-35186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-22T14:05:58Z",
    "nvd_published_at": "2024-05-23T09:15:09Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nDuring checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application.\n\n### Details\n\nAlthough `gix-worktree-state` checks for collisions with existing files, it does not itself check if a path is really in the working tree when performing a checkout, nor do the path checks in `gix-fs` and `gix-worktree` prevent this. Cloning an untrusted repository containing specially crafted tree or blob names will create new files outside the repository, or inside the repository or a submodule\u0027s `.git` directory. The simplest cases are:\n\n- A tree named `..` to traverse upward. This facilitates arbitrary code execution because files can be placed in one or more locations where they are likely to be executed soon.\n- A tree named `.git` to enter a `.git` directory. This facilitates arbitrary code execution because hooks can be installed.\n\nA number of alternatives that achieve the same effect are also possible, some of which correspond to specific vulnerabilities that have affected Git in the past:\n\n- A tree or blob whose name contains one or more `/`, to traverse upward or downward. For example, even without containing any tree named `..` or `.git`, a repository can represent a file named `../outside` or `.git/hooks/pre-commit`. This is distinct from the more intuitive case a repository containing trees that represent those paths.\n- In Windows, a tree or blob whose name contains one or more `\\`, to traverse upward or downward. (Unlike `/`, these are valid on other systems.) See [GHSA-xjx4-8694-q2fq](https://github.com/git/git/security/advisories/GHSA-xjx4-8694-q2fq).\n- On a case-insensitive filesystem (such as NTFS, APFS, or HFS+), a tree named as a case variant of `.git`.\n- On HFS+, a tree named like `.git` or a case variant, with characters added that HFS+ ignores [in collation](https://developer.apple.com/library/archive/technotes/tn/tn1150.html#StringComparisonAlgorithm). See https://github.com/git/git/commit/6162a1d323d24fd8cbbb1a6145a91fb849b2568f.\n- On NTFS, a tree equivalent to `.git` (or a case variant) by the use of [NTFS stream](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3) notation, such as `.git::$INDEX_ALLOCATION`. See [GHSA-5wph-8frv-58vj](https://github.com/git/git/security/advisories/GHSA-5wph-8frv-58vj).\n- On an NTFS volume with [8.3 aliasing](https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file#short-vs-long-names) enabled, a tree named as `git~1` (or a case variant). See [GHSA-589j-mmg9-733v](https://github.com/git/git/security/advisories/GHSA-589j-mmg9-733v).\n\nWhen a checkout creates some files outside the repository directory but fails to complete, the repository directory is usually removed, but the outside files remain.\n\n### PoC\n\nFor simplicity, these examples stage a stand-in file with a valid name, modify the index, and commit. The instructions assume `sed` supports `-i`, which is the case on most systems. If using Windows, a Git Bash shell should be used.\n\n#### Example: Downward traversal to install hooks\n\n1. Create a new repository with `git init dangerous-repo-installs-hook` and `cd` into the directory.\n2. Create the stand-in called `.git@hooks@pre-commit`, with the *contents*:\n   ```sh\n   #!/bin/sh\n   printf \u0027Vulnerable!\\n\u0027\n   date \u003evulnerable\n   ```\n3. Stage the stand-in: `git add --chmod=+x .git@hooks@pre-commit`\n4. Edit the index: `env LC_ALL=C sed -i.orig \u0027s|\\.git@hooks@pre-commit|.git/hooks/pre-commit|\u0027 .git/index`\n5. Commit: `git commit -m \u0027Initial commit\u0027`\n6. *Optionally*, push to a private remote.\n\nThen, on another or the same machine:\n\n1. Clone the repository with a `gix clone \u2026` command.\n2. Enter the newly created directory.\n3. *Optionally* run `ls -l .git/hooks` to observe that the `pre-commit` hook is already present.\n4. Make a new file and commit it with `git`. This causes the payload surreptitiously installed as a `pre-commit` hook to run, printing the message `Vulnerable!` and creating a file in the current directory containing the current date and time.\n\nNote that the effect is not limited to modifying the current directory. The payload could be written to perform any action that the user who runs `git commit` is capable of.\n\n#### Example: Upward traversal to create a file above the working tree\n\n1. Create a new repository with `git init dangerous-repo-reaches-up`, and `cd` into the directory.\n2. Create the stand-in: `echo \u0027A file outside the working tree, somehow.\u0027 \u003e..@outside`\n3. Stage the stand-in: `git add ..@outside`\n4. Edit the index: `env LC_ALL=C sed -i.orig \u0027s|\\.\\.@outside|../outside|\u0027 .git/index`\n5. Commit: `git commit -m \u0027Initial commit\u0027`\n6. *Optionally*, push to a private remote.\n\nThen, as above, on the same or another machine, clone the repository with a `gix clone \u2026` command. Observe that a file named `outside` is present alongside (not inside) the cloned directory.\n\n### Impact\n\nAny use of `gix` or another application that makes use of `gix-worktree-state`, or otherwise relies on `gix-fs` and `gix-worktree` for validation, is affected, if used to clone untrusted repositories. The above description focuses on code execution, as that leads to a complete loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well.\n\nIn use cases where no untrusted repository is ever cloned, this vulnerability has no impact. Furthermore, the impact of this vulnerability *may* be lower when `gix` is used to clone a repository for CI/CD purposes, even if untrusted, since in such uses the environment is usually isolated and arbitrary code is usually run deliberately from the repository with necessary safeguards in place.",
  "id": "GHSA-7w47-3wg8-547c",
  "modified": "2024-07-08T16:20:56Z",
  "published": "2024-05-22T14:05:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35186"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Byron/gitoxide"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0348.html"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0350.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "gix traversal outside working tree enables arbitrary code execution"
}

GHSA-7WPM-J27W-6R7J

Vulnerability from github – Published: 2024-07-01 06:31 – Updated: 2024-07-01 06:31
VLAI
Details

CHANGING Mobile One Time Password does not properly filter parameters for the file download functionality, allowing remote attackers with administrator privilege to read arbitrary file on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3122"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-01T05:15:04Z",
    "severity": "MODERATE"
  },
  "details": "CHANGING Mobile One Time Password does not properly filter parameters for the file download functionality, allowing remote attackers with administrator privilege to read arbitrary file on the system.",
  "id": "GHSA-7wpm-j27w-6r7j",
  "modified": "2024-07-01T06:31:17Z",
  "published": "2024-07-01T06:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3122"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-7912-4c800-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-7911-0962e-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7WQH-767X-R66V

Vulnerability from github – Published: 2025-03-10 22:19 – Updated: 2025-11-04 00:32
VLAI
Summary
Local File Inclusion in Rack::Static
Details

Summary

Rack::Static can serve files under the specified root: even if urls: are provided, which may expose other files under the specified root: unexpectedly.

Details

The vulnerability occurs because Rack::Static does not properly sanitize user-supplied paths before serving files. Specifically, encoded path traversal sequences are not correctly validated, allowing attackers to access files outside the designated static file directory.

Impact

By exploiting this vulnerability, an attacker can gain access to all files under the specified root: directory, provided they are able to determine then path of the file.

Mitigation

  • Update to the latest version of Rack, or
  • Remove usage of Rack::Static, or
  • Ensure that root: points at a directory path which only contains files which should be accessed publicly.

It is likely that a CDN or similar static file server would also mitigate the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0"
            },
            {
              "fixed": "3.0.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1"
            },
            {
              "fixed": "3.1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27610"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-10T22:19:30Z",
    "nvd_published_at": "2025-03-10T23:15:35Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly.\n\n## Details\n\nThe vulnerability occurs because `Rack::Static` does not properly sanitize user-supplied paths before serving files. Specifically, encoded path traversal sequences are not correctly validated, allowing attackers to access files outside the designated static file directory.\n\n## Impact\n\nBy exploiting this vulnerability, an attacker can gain access to all files under the specified `root:` directory, provided they are able to determine then path of the file.\n\n## Mitigation\n\n- Update to the latest version of Rack, or\n- Remove usage of `Rack::Static`, or\n- Ensure that `root:` points at a directory path which only contains files which should be accessed publicly.\n\nIt is likely that a CDN or similar static file server would also mitigate the issue.",
  "id": "GHSA-7wqh-767x-r66v",
  "modified": "2025-11-04T00:32:21Z",
  "published": "2025-03-10T22:19:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27610"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/commit/50caab74fa01ee8f5dbdee7bb2782126d20c6583"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rack/rack"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27610.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Local File Inclusion in Rack::Static"
}

GHSA-7WRC-R54R-W52V

Vulnerability from github – Published: 2025-09-15 18:31 – Updated: 2025-09-15 18:31
VLAI
Details

Relative path traversal vulnerability due to improper input validation in Digilent WaveForms that may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted .DWF3WORK file. This vulnerability affects Digilent WaveForms 3.24.3 and prior versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10203"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T17:15:32Z",
    "severity": "HIGH"
  },
  "details": "Relative path traversal vulnerability due to improper input validation in Digilent WaveForms that may result in arbitrary code execution.  Successful exploitation requires an attacker to get a user to open a specially crafted .DWF3WORK file.  This vulnerability affects Digilent WaveForms 3.24.3 and prior versions.",
  "id": "GHSA-7wrc-r54r-w52v",
  "modified": "2025-09-15T18:31:06Z",
  "published": "2025-09-15T18:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10203"
    },
    {
      "type": "WEB",
      "url": "https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/relative-path-traversal-vulnerability-in-digilent-waveforms.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20.1
Implementation

Strategy: Input Validation

  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
  • Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
  • realpath() in C
  • getCanonicalPath() in Java
  • GetFullPath() in ASP.NET
  • realpath() or abs_path() in Perl
  • realpath() in PHP
Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-139: Relative Path Traversal

An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.