CWE-36
AllowedAbsolute Path Traversal
Abstraction: Base · Status: Draft
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
245 vulnerabilities reference this CWE, most recent first.
GHSA-J9MR-P9R5-6RH3
Vulnerability from github – Published: 2025-08-13 09:30 – Updated: 2025-08-13 09:30Organization Portal System developed by WellChoose has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files.
{
"affected": [],
"aliases": [
"CVE-2025-8909"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-13T09:15:29Z",
"severity": "HIGH"
},
"details": "Organization Portal System developed by WellChoose has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files.",
"id": "GHSA-j9mr-p9r5-6rh3",
"modified": "2025-08-13T09:30:32Z",
"published": "2025-08-13T09:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8909"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10325-70192-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10321-3cae5-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JCRP-X7W3-FFMG
Vulnerability from github – Published: 2025-01-29 22:21 – Updated: 2025-10-14 21:54Summary
Deep Java Library (DJL) is an open-source, high-level, engine-agnostic Java framework for deep learning. DJL is designed to be easy to get started with and simple to use for Java developers. DJL provides a native Java development experience and functions like any other regular Java library.
DJL provides utilities for extracting tar and zip model archives that are used when loading models for use with DJL. These utilities were found to contain issues that do not protect against absolute path traversal during the extraction process.
Impact
An issue exists with DJL's untar and unzip functionalities. Specifically, it is possible to create an archive on a Windows system, and when extracted on a MacOS or Linux system, write artifacts outside the intended destination during the extraction process. The reverse is also true for archives created on MacOS/Linux systems and extracted on Windows systems.
Impacted versions: 0.1.0 - 0.31.0
Patches
This issue has been patched in DJL 0.31.1 [1]
Workarounds
Do not use model archive files from sources you do not trust. You should only use model archives from official sources like the DJL Model Zoo, or models that you have created and packaged yourself.
References
If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [2] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
[1] https://github.com/deepjavalibrary/djl/tree/v0.31.1 [2] https://aws.amazon.com/security/vulnerability-reporting
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "ai.djl:api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.31.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-0851"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-36"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-29T22:21:33Z",
"nvd_published_at": "2025-01-29T22:15:30Z",
"severity": "CRITICAL"
},
"details": "## Summary\n\n[Deep Java Library (DJL)](https://docs.djl.ai/master/index.html) is an open-source, high-level, engine-agnostic Java framework for deep learning. DJL is designed to be easy to get started with and simple to use for Java developers. DJL provides a native Java development experience and functions like any other regular Java library.\n\nDJL provides utilities for extracting tar and zip model archives that are used when loading models for use with DJL. These utilities were found to contain issues that do not protect against absolute path traversal during the extraction process.\n\n## Impact\n\nAn issue exists with DJL\u0027s untar and unzip functionalities. Specifically, it is possible to create an archive on a Windows system, and when extracted on a MacOS or Linux system, write artifacts outside the intended destination during the extraction process. The reverse is also true for archives created on MacOS/Linux systems and extracted on Windows systems.\n\nImpacted versions: 0.1.0 - 0.31.0\n\n## Patches\n\nThis issue has been patched in DJL 0.31.1 [1]\n\n## Workarounds\n\nDo not use model archive files from sources you do not trust. You should only use model archives from official sources like the DJL Model Zoo, or models that you have created and packaged yourself.\n\n## References\n\nIf you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [2] or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.\n\n[1] https://github.com/deepjavalibrary/djl/tree/v0.31.1\n[2] https://aws.amazon.com/security/vulnerability-reporting",
"id": "GHSA-jcrp-x7w3-ffmg",
"modified": "2025-10-14T21:54:30Z",
"published": "2025-01-29T22:21:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/deepjavalibrary/djl/security/advisories/GHSA-jcrp-x7w3-ffmg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0851"
},
{
"type": "WEB",
"url": "https://github.com/deepjavalibrary/djl/commit/7415cc5f72aae69ea9716a5e4f709af03a77a619"
},
{
"type": "WEB",
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-003"
},
{
"type": "PACKAGE",
"url": "https://github.com/deepjavalibrary/djl"
},
{
"type": "WEB",
"url": "https://github.com/deepjavalibrary/djl/releases/tag/v0.31.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Deep Java Library path traversal issue"
}
GHSA-JF8H-FGVQ-GW78
Vulnerability from github – Published: 2025-10-31 09:30 – Updated: 2025-10-31 09:30The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the save_fields() function in all versions up to, and including, 16.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
{
"affected": [],
"aliases": [
"CVE-2025-7846"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-31T07:15:38Z",
"severity": "HIGH"
},
"details": "The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the save_fields() function in all versions up to, and including, 16.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).",
"id": "GHSA-jf8h-fgvq-gw78",
"modified": "2025-10-31T09:30:25Z",
"published": "2025-10-31T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7846"
},
{
"type": "WEB",
"url": "https://codecanyon.net/item/user-extra-fields/12949844"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c66d0fb4-e2df-4bdb-8ccb-18a96173a55d?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JH89-3VF3-VWQ5
Vulnerability from github – Published: 2025-06-28 06:31 – Updated: 2025-06-28 06:31The BeeTeam368 Extensions plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.3.4 via the handle_remove_temp_file() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory. This vulnerability can be used to delete the wp-config.php file, which can be leveraged into a site takeover.
{
"affected": [],
"aliases": [
"CVE-2025-6381"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-28T04:15:46Z",
"severity": "HIGH"
},
"details": "The BeeTeam368 Extensions plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.3.4 via the handle_remove_temp_file() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory. This vulnerability can be used to delete the wp-config.php file, which can be leveraged into a site takeover.",
"id": "GHSA-jh89-3vf3-vwq5",
"modified": "2025-06-28T06:31:13Z",
"published": "2025-06-28T06:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6381"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/vidmov-video-wordpress-theme/35542187"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aed40456-43c3-4647-9bce-e7c6139c84cd?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JPVW-P8PR-9G2X
Vulnerability from github – Published: 2023-12-28 21:30 – Updated: 2024-12-06 18:06An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-5115"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-36"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-29T18:19:35Z",
"nvd_published_at": "2023-12-18T14:15:10Z",
"severity": "MODERATE"
},
"details": "An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.",
"id": "GHSA-jpvw-p8pr-9g2x",
"modified": "2024-12-06T18:06:32Z",
"published": "2023-12-28T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5115"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/1e930684bc0a76ec3d094cd326738ad26416541c"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:5701"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:5758"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-5115"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233810"
},
{
"type": "WEB",
"url": "https://github.com/ansible-community/ansible-build-data/blob/16d36538b96c65d9e0e28d89781361b69857ac0e/8/CHANGELOG-v8.rst#L221"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansible/ansible"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Ansible symlink attack vulnerability"
}
GHSA-M7C8-3QQC-3M6C
Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01Local File Inclusion vulnerability of the omni-directional communication system allows remote authenticated attacker inject absolute path into Url parameter and access arbitrary file.
{
"affected": [],
"aliases": [
"CVE-2021-30173"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-07T10:15:00Z",
"severity": "MODERATE"
},
"details": "Local File Inclusion vulnerability of the omni-directional communication system allows remote authenticated attacker inject absolute path into Url parameter and access arbitrary file.",
"id": "GHSA-m7c8-3qqc-3m6c",
"modified": "2022-05-24T19:01:48Z",
"published": "2022-05-24T19:01:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30173"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-4712-7ade4-1.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M9X5-G73R-5MCJ
Vulnerability from github – Published: 2024-02-21 18:31 – Updated: 2024-02-21 18:31A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been classified as problematic. This affects the function openfile of the file /adminapi/system/file/openfile. The manipulation leads to absolute path traversal. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254391. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-1703"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-21T17:15:08Z",
"severity": "LOW"
},
"details": "A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been classified as problematic. This affects the function openfile of the file /adminapi/system/file/openfile. The manipulation leads to absolute path traversal. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254391. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-m9x5-g73r-5mcj",
"modified": "2024-02-21T18:31:02Z",
"published": "2024-02-21T18:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1703"
},
{
"type": "WEB",
"url": "https://github.com/Echosssy/-CRMEB-Mall-commercial-version-of-any-file-read-vulnerability/blob/main/README.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.254391"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.254391"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MHC8-6X59-4Q3W
Vulnerability from github – Published: 2025-08-20 06:30 – Updated: 2025-08-21 15:30An issue was discovered in Commvault before 11.36.60. A security vulnerability has been identified that allows remote attackers to perform unauthorized file system access through a path traversal issue. The vulnerability may lead to remote code execution.
{
"affected": [],
"aliases": [
"CVE-2025-57790"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-20T04:16:04Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Commvault before 11.36.60. A security vulnerability has been identified that allows remote attackers to perform unauthorized file system access through a path traversal issue. The vulnerability may lead to remote code execution.",
"id": "GHSA-mhc8-6x59-4q3w",
"modified": "2025-08-21T15:30:33Z",
"published": "2025-08-20T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57790"
},
{
"type": "WEB",
"url": "https://documentation.commvault.com/securityadvisories/CV_2025_08_2.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MHWR-J844-Q9PQ
Vulnerability from github – Published: 2026-05-05 09:31 – Updated: 2026-05-12 18:30An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization.
Due to a lack of proper path validation and sanitization, an authenticated user with administrative privileges can specify arbitrary file paths on the local file system. This allows for the enumeration of directory structures and the unauthorized reading of sensitive text-based configuration or system files.
When the synchronization process is triggered, the application attempts to parse the contents of the specified file, subsequently exposing the data within the application's account management interface. This vulnerability could lead to the disclosure of sensitive system information or configuration details, depending on the permissions of the service account under which the application is running.
{
"affected": [],
"aliases": [
"CVE-2026-6418"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-05T07:16:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization.\n\n\n\nDue to a lack of proper path validation and sanitization, an authenticated user with administrative privileges can specify arbitrary file paths on the local file system. This allows for the enumeration of directory structures and the unauthorized reading of sensitive text-based configuration or system files.\n\n\n\nWhen the synchronization process is triggered, the application attempts to parse the contents of the specified file, subsequently exposing the data within the application\u0027s account management interface. This vulnerability could lead to the disclosure of sensitive system information or configuration details, depending on the permissions of the service account under which the application is running.",
"id": "GHSA-mhwr-j844-q9pq",
"modified": "2026-05-12T18:30:28Z",
"published": "2026-05-05T09:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6418"
},
{
"type": "WEB",
"url": "https://www.papercut.com/kb/Main/papercut-ng-mf-and-papercut-hive-security-bulletin-may-2026"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MR39-8Q83-8VFH
Vulnerability from github – Published: 2025-11-17 06:30 – Updated: 2025-11-17 06:30TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system.
{
"affected": [],
"aliases": [
"CVE-2025-13282"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-17T04:15:54Z",
"severity": "HIGH"
},
"details": "TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user\u0027s system.",
"id": "GHSA-mr39-8q83-8vfh",
"modified": "2025-11-17T06:30:15Z",
"published": "2025-11-17T06:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13282"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10511-10f3a-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10510-3719c-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-597: Absolute Path Traversal
An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as ".." to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.