CWE-434
AllowedUnrestricted Upload of File with Dangerous Type
Abstraction: Base · Status: Draft
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
5971 vulnerabilities reference this CWE, most recent first.
GHSA-R9VJ-FRG8-HC25
Vulnerability from github – Published: 2026-06-29 15:32 – Updated: 2026-06-29 15:32SzafirHost verifies the downloaded native library archive with one JarFile parser (reading the Central Directory) but extracts native libraries with JarInputStream parser (reading sequentially from local file headers). An attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as a local-file-header entry between the last legitimate entry and the Central Directory, without adding it to the Central Directory. The signature verifier never sees the injected entry and accepts the archive as validly signed; the extractor reads it sequentially and writes the attacker library to the native temp directory with no hash check), while the archive-size check still passes. This can lead to remote code execution.
This issue was fixed in version 1.2.2.
{
"affected": [],
"aliases": [
"CVE-2026-13165"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-29T14:16:41Z",
"severity": "HIGH"
},
"details": "SzafirHost verifies the downloaded native library archive with one JarFile parser (reading the Central Directory) but extracts native libraries with JarInputStream parser (reading sequentially from local file headers).\u00a0An attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as a local-file-header entry between the last legitimate entry and the Central Directory, without adding it to the Central Directory. The signature verifier never sees the injected entry and accepts the archive as validly signed; the extractor reads it sequentially and writes the attacker library to the native temp directory with no hash check), while the archive-size check still passes. This\u00a0can lead to remote code execution.\n\nThis issue was fixed in version 1.2.2.",
"id": "GHSA-r9vj-frg8-hc25",
"modified": "2026-06-29T15:32:05Z",
"published": "2026-06-29T15:32:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13165"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2026/06/CVE-2026-13165"
},
{
"type": "WEB",
"url": "https://www.elektronicznypodpis.pl"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R9W3-4W3V-H5X6
Vulnerability from github – Published: 2024-09-10 12:30 – Updated: 2024-09-10 12:30The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up to, and including, 6.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted upload permissions by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible.
{
"affected": [],
"aliases": [
"CVE-2024-7770"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T11:15:10Z",
"severity": "HIGH"
},
"details": "The Bit File Manager \u2013 100% Free \u0026 Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the \u0027upload\u0027 function in all versions up to, and including, 6.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted upload permissions by an administrator, to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible.",
"id": "GHSA-r9w3-4w3v-h5x6",
"modified": "2024-09-10T12:30:38Z",
"published": "2024-09-10T12:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7770"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/file-manager/trunk/backend/app/Http/Controllers/FileManagerController.php#L26"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/file-manager/trunk/libs/elFinder/php/elFinder.class.php#L1210"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/file-manager/trunk/libs/elFinder/php/elFinder.class.php#L3257"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/file-manager/trunk/libs/elFinder/php/elFinderConnector.class.php#L160"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3138710"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9cae7702-e531-45b9-9131-42edbc073a07?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RC2Q-P83G-48VC
Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37Marital - Online Matrimonial Project In PHP version 1.0 suffers from an authenticated file upload vulnerability allowing remote attackers to gain remote code execution (RCE) on the Hosting web server via uploading a maliciously crafted PHP file.
{
"affected": [],
"aliases": [
"CVE-2020-27397"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-23T18:15:00Z",
"severity": "HIGH"
},
"details": "Marital - Online Matrimonial Project In PHP version 1.0 suffers from an authenticated file upload vulnerability allowing remote attackers to gain remote code execution (RCE) on the Hosting web server via uploading a maliciously crafted PHP file.",
"id": "GHSA-rc2q-p83g-48vc",
"modified": "2022-05-24T17:37:05Z",
"published": "2022-05-24T17:37:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27397"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/160337/Online-Matrimonial-Project-1.0-Remote-Code-Execution.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RC7G-PRG9-344F
Vulnerability from github – Published: 2021-12-14 00:00 – Updated: 2021-12-18 00:02fastadmin v1.2.1 is affected by a file upload vulnerability which allows arbitrary code execution through shell access.
{
"affected": [],
"aliases": [
"CVE-2021-43117"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-13T12:15:00Z",
"severity": "CRITICAL"
},
"details": "fastadmin v1.2.1 is affected by a file upload vulnerability which allows arbitrary code execution through shell access.",
"id": "GHSA-rc7g-prg9-344f",
"modified": "2021-12-18T00:02:03Z",
"published": "2021-12-14T00:00:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43117"
},
{
"type": "WEB",
"url": "https://github.com/ambitiousleader/some-automated-script/issues/1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RCJQ-V77Q-5648
Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2024-04-04 01:54framework/admin/modulec_control.php in OKLite v1.2.25 has an Arbitrary File Upload Vulnerability because a .php file from a ZIP archive can be written to /data/cache/.
{
"affected": [],
"aliases": [
"CVE-2019-16131"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-09T03:15:00Z",
"severity": "HIGH"
},
"details": "framework/admin/modulec_control.php in OKLite v1.2.25 has an Arbitrary File Upload Vulnerability because a .php file from a ZIP archive can be written to /data/cache/.",
"id": "GHSA-rcjq-v77q-5648",
"modified": "2024-04-04T01:54:06Z",
"published": "2022-05-24T16:55:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16131"
},
{
"type": "WEB",
"url": "http://www.iwantacve.cn/index.php/archives/289"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RCRQ-PV9X-J35X
Vulnerability from github – Published: 2025-04-16 00:31 – Updated: 2026-04-01 18:34Unrestricted Upload of File with Dangerous Type vulnerability in EPC AI Hub allows Upload a Web Shell to a Web Server. This issue affects AI Hub: from n/a through 1.3.3.
{
"affected": [],
"aliases": [
"CVE-2025-26927"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-15T22:15:18Z",
"severity": "CRITICAL"
},
"details": "Unrestricted Upload of File with Dangerous Type vulnerability in EPC AI Hub allows Upload a Web Shell to a Web Server. This issue affects AI Hub: from n/a through 1.3.3.",
"id": "GHSA-rcrq-pv9x-j35x",
"modified": "2026-04-01T18:34:42Z",
"published": "2025-04-16T00:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26927"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/theme/aihub/vulnerability/wordpress-ai-hub-plugin-1-3-3-arbitrary-file-upload-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RCVG-Q682-C3RX
Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34A vulnerability in the administration console of Micro Focus GroupWise prior to version 18.0.2 may allow a remote attacker authenticated as an administrator to upload files to an arbitrary path on the server. In certain circumstances this could result in remote code execution.
{
"affected": [],
"aliases": [
"CVE-2018-12468"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-01T20:29:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the administration console of Micro Focus GroupWise prior to version 18.0.2 may allow a remote attacker authenticated as an administrator to upload files to an arbitrary path on the server. In certain circumstances this could result in remote code execution.",
"id": "GHSA-rcvg-q682-c3rx",
"modified": "2022-05-13T01:34:46Z",
"published": "2022-05-13T01:34:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12468"
},
{
"type": "WEB",
"url": "https://www.novell.com/support/kb/doc.php?id=7023223"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RCVR-M4PW-53H5
Vulnerability from github – Published: 2024-11-29 03:31 – Updated: 2024-11-29 03:31A vulnerability classified as problematic was found in Guizhou Xiaoma Technology jpress 5.1.2. Affected by this vulnerability is an unknown functionality of the file /commons/attachment/upload of the component Avatar Handler. The manipulation of the argument files leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2024-11971"
],
"database_specific": {
"cwe_ids": [
"CWE-434",
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-28T22:15:15Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic was found in Guizhou Xiaoma Technology jpress 5.1.2. Affected by this vulnerability is an unknown functionality of the file /commons/attachment/upload of the component Avatar Handler. The manipulation of the argument files leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-rcvr-m4pw-53h5",
"modified": "2024-11-29T03:31:04Z",
"published": "2024-11-29T03:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11971"
},
{
"type": "WEB",
"url": "https://github.com/dycccccccc/jpress/blob/main/JPRESS%20file%20upload%20leads%20to%20code%20execution.docx"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.286381"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.286381"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.453637"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RCXC-WJGW-579R
Vulnerability from github – Published: 2025-01-16 19:35 – Updated: 2025-08-20 17:40Impact
If SVG or JPEGXL thumbnailers are enabled (they are disabled by default), a user may upload a file which claims to be either of these types and request a thumbnail to invoke a different decoder in ImageMagick. In some ImageMagick installations, this includes the capability to run Ghostscript to decode the image/file.
If MP4 thumbnailers are enabled (also disabled by default), the same issue as above may occur with the ffmpeg installation instead.
MMR uses a number of other decoders for all other file types when preparing thumbnails. Theoretical issues are possible with these decoders, however in testing they were not possible to exploit.
Patches
This is fixed in MMR v1.3.8. MMR now inspects the mimetype of media prior to thumbnailing, and picks a thumbnailer based on those results instead of relying on user-supplied values. This may lead to fewer thumbnails when obscure file shapes are used. This also helps narrow scope of theoretical issues with all decoders MMR uses for thumbnails.
Workarounds
Disabling the SVG, JPEGXL, and MP4 thumbnail types in the MMR config prevents the decoders from being invoked. Further disabling uncommon file types on the server is recommended to limit risk surface.
Containers and other similar technologies may also be used to limit the impact of vulnerabilities in external decoders, like ImageMagick and ffmpeg.
Some installations of ImageMagick may disable "unsafe" file types, like PDFs, already. This option can be replicated to other environments as needed. ffmpeg may be compiled with limited decoders/codecs. The Docker image for MMR disables PDFs and similar formats by default.
References
A similar issue was discovered in Synapse: https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.3.7"
},
"package": {
"ecosystem": "Go",
"name": "github.com/t2bot/matrix-media-repo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-56515"
],
"database_specific": {
"cwe_ids": [
"CWE-434",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-16T19:35:09Z",
"nvd_published_at": "2025-01-16T20:15:33Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nIf SVG or JPEGXL thumbnailers are enabled (they are disabled by default), a user may upload a file which claims to be either of these types and request a thumbnail to invoke a different decoder in ImageMagick. In some ImageMagick installations, this includes the capability to run Ghostscript to decode the image/file.\n\nIf MP4 thumbnailers are enabled (also disabled by default), the same issue as above may occur with the ffmpeg installation instead.\n\nMMR uses a number of other decoders for all other file types when preparing thumbnails. Theoretical issues are possible with these decoders, however in testing they were not possible to exploit.\n\n### Patches\n\nThis is fixed in [MMR v1.3.8](https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8). MMR now inspects the mimetype of media prior to thumbnailing, and picks a thumbnailer based on those results instead of relying on user-supplied values. This may lead to fewer thumbnails when obscure file shapes are used. This also helps narrow scope of theoretical issues with all decoders MMR uses for thumbnails.\n\n### Workarounds\n\nDisabling the SVG, JPEGXL, and MP4 thumbnail types in the MMR config prevents the decoders from being invoked. Further disabling uncommon file types on the server is recommended to limit risk surface. \n\nContainers and other similar technologies may also be used to limit the impact of vulnerabilities in external decoders, like ImageMagick and ffmpeg. \n\nSome installations of ImageMagick may disable \"unsafe\" file types, like PDFs, already. This option can be replicated to other environments as needed. ffmpeg may be compiled with limited decoders/codecs. The Docker image for MMR disables PDFs and similar formats by default.\n\n### References\n\nA similar issue was discovered in Synapse: https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g",
"id": "GHSA-rcxc-wjgw-579r",
"modified": "2025-08-20T17:40:24Z",
"published": "2025-01-16T19:35:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-rcxc-wjgw-579r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56515"
},
{
"type": "PACKAGE",
"url": "https://github.com/t2bot/matrix-media-repo"
},
{
"type": "WEB",
"url": "https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3400"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Matrix Media Repo (MMR) allows untrusted file formats can be thumbnailed, invoking potentially further untrusted decoders"
}
GHSA-RF3W-29H3-R636
Vulnerability from github – Published: 2021-09-20 20:45 – Updated: 2021-09-17 17:54An arbitrary file upload vulnerability in Feehi CMS v2.0.8 and below allows attackers to execute arbitrary code via a crafted PHP file.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.8"
},
"package": {
"ecosystem": "Packagist",
"name": "feehi/cms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-21322"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-17T17:54:21Z",
"nvd_published_at": "2021-09-15T22:15:00Z",
"severity": "HIGH"
},
"details": "An arbitrary file upload vulnerability in Feehi CMS v2.0.8 and below allows attackers to execute arbitrary code via a crafted PHP file.",
"id": "GHSA-rf3w-29h3-r636",
"modified": "2021-09-17T17:54:21Z",
"published": "2021-09-20T20:45:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21322"
},
{
"type": "WEB",
"url": "https://github.com/liufee/cms/issues/44"
},
{
"type": "WEB",
"url": "https://github.com/liufee/cms/commit/ecbfb0ca77874ead5b6e79b96a5e1f94e67475a9"
},
{
"type": "PACKAGE",
"url": "https://github.com/liufee/cms"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Arbitrary Code Execution in feehi/cms"
}
Mitigation
Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]
Mitigation MIT-21
Strategy: Enforcement by Conversion
When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
Mitigation
Consider storing the uploaded files outside of the web document root entirely. Then, use other mechanisms to deliver the files dynamically. [REF-423]
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- For example, limiting filenames to alphanumeric characters can help to restrict the introduction of unintended file extensions.
Mitigation
Define a very limited set of allowable extensions and only generate filenames that end in these extensions. Consider the possibility of XSS (CWE-79) before allowing .html or .htm file types.
Mitigation
Strategy: Input Validation
Ensure that only one extension is used in the filename. Some web servers, including some versions of Apache, may process files based on inner extensions so that "filename.php.gif" is fed to the PHP interpreter.[REF-422] [REF-423]
Mitigation
When running on a web server that supports case-insensitive filenames, perform case-insensitive evaluations of the extensions that are provided.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation
Do not rely exclusively on sanity checks of file contents to ensure that the file is of the expected type and size. It may be possible for an attacker to hide code in some file segments that will still be executed by the server. For example, GIF images may contain a free-form comments field.
Mitigation
Do not rely exclusively on the MIME content type or filename attribute when determining how to render a file. Validating the MIME content type and ensuring that it matches the extension is only a partial solution.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Mitigation MIT-22
Strategy: Sandbox or Jail
- Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
- OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.