CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1987 vulnerabilities reference this CWE, most recent first.
GHSA-QGFR-5HQP-VRW9
Vulnerability from github – Published: 2020-09-03 21:16 – Updated: 2023-04-18 14:49Versions of decompress prior to 4.2.1 are vulnerable to Arbitrary File Write. The package fails to prevent extraction of files with relative paths, allowing attackers to write to any folder in the system by including filenames containing../.
Recommendation
Upgrade to version 4.2.1 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "decompress"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-12265"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:51:16Z",
"nvd_published_at": "2020-04-26T17:15:00Z",
"severity": "CRITICAL"
},
"details": "Versions of `decompress` prior to 4.2.1 are vulnerable to Arbitrary File Write. The package fails to prevent extraction of files with relative paths, allowing attackers to write to any folder in the system by including filenames containing`../`.\n\n\n## Recommendation\n\nUpgrade to version 4.2.1 or later.",
"id": "GHSA-qgfr-5hqp-vrw9",
"modified": "2023-04-18T14:49:55Z",
"published": "2020-09-03T21:16:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12265"
},
{
"type": "WEB",
"url": "https://github.com/kevva/decompress/issues/71"
},
{
"type": "WEB",
"url": "https://github.com/kevva/decompress/pull/73"
},
{
"type": "WEB",
"url": "https://github.com/kevva/decompress/commit/967146e70f48be32ed1a69daa3941d681944d513"
},
{
"type": "PACKAGE",
"url": "https://github.com/kevva/decompress"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Path Traversal in decompress"
}
GHSA-QGQR-XGPP-PCG3
Vulnerability from github – Published: 2022-05-17 02:19 – Updated: 2025-04-09 03:59Unspecified vulnerability in Opera before 9.60 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a redirect that specifies a crafted URL.
{
"affected": [],
"aliases": [
"CVE-2008-4694"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-10-23T22:00:00Z",
"severity": "HIGH"
},
"details": "Unspecified vulnerability in Opera before 9.60 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a redirect that specifies a crafted URL.",
"id": "GHSA-qgqr-xgpp-pcg3",
"modified": "2025-04-09T03:59:57Z",
"published": "2022-05-17T02:19:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4694"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45722"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00009.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32177"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32394"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32538"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200811-01.xml"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1021016"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/10/21/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/10/22/5"
},
{
"type": "WEB",
"url": "http://www.opera.com/docs/changelogs/freebsd/960"
},
{
"type": "WEB",
"url": "http://www.opera.com/docs/changelogs/linux/960"
},
{
"type": "WEB",
"url": "http://www.opera.com/docs/changelogs/mac/960"
},
{
"type": "WEB",
"url": "http://www.opera.com/docs/changelogs/solaris/960"
},
{
"type": "WEB",
"url": "http://www.opera.com/docs/changelogs/windows/960"
},
{
"type": "WEB",
"url": "http://www.opera.com/support/search/view/901"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/31631"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2008/2765"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QGRX-JQWH-WCX9
Vulnerability from github – Published: 2022-01-12 00:01 – Updated: 2024-11-14 21:31Windows Cleanup Manager Elevation of Privilege Vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-21838"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-11T21:15:00Z",
"severity": "MODERATE"
},
"details": "Windows Cleanup Manager Elevation of Privilege Vulnerability.",
"id": "GHSA-qgrx-jqwh-wcx9",
"modified": "2024-11-14T21:31:43Z",
"published": "2022-01-12T00:01:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21838"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21838"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21838"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-049"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QH3G-27JF-3J54
Vulnerability from github – Published: 2022-05-14 00:56 – Updated: 2024-01-16 21:28Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink attack on the SSH authorized_keys file.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "puppet"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "puppet"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2011-3870"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-16T21:28:46Z",
"nvd_published_at": "2011-10-27T20:55:00Z",
"severity": "MODERATE"
},
"details": "Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink attack on the SSH authorized_keys file.",
"id": "GHSA-qh3g-27jf-3j54",
"modified": "2024-01-16T21:28:46Z",
"published": "2022-05-14T00:56:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3870"
},
{
"type": "WEB",
"url": "https://github.com/puppetlabs/puppet/commit/88512e880bd2a03694b5fef42540dc7b3da05d30"
},
{
"type": "WEB",
"url": "https://github.com/puppetlabs/puppet/commit/b29b1785d543a3cea961fffa9b3c15f14ab7cce0"
},
{
"type": "PACKAGE",
"url": "https://github.com/puppetlabs/puppet"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2011-3870.yml"
},
{
"type": "WEB",
"url": "https://puppet.com/security/cve/cve-2011-3870"
},
{
"type": "WEB",
"url": "http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2011/dsa-2314"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1223-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1223-2"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Puppet allows local users to modify the permissions of arbitrary files"
}
GHSA-QHFC-5XCH-PG48
Vulnerability from github – Published: 2022-05-02 06:12 – Updated: 2022-05-02 06:12The edit_cmd function in crontab.c in (1) cronie before 1.4.4 and (2) Vixie cron (vixie-cron) allows local users to change the modification times of arbitrary files, and consequently cause a denial of service, via a symlink attack on a temporary file in the /tmp directory.
{
"affected": [],
"aliases": [
"CVE-2010-0424"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-02-25T19:30:00Z",
"severity": "LOW"
},
"details": "The edit_cmd function in crontab.c in (1) cronie before 1.4.4 and (2) Vixie cron (vixie-cron) allows local users to change the modification times of arbitrary files, and consequently cause a denial of service, via a symlink attack on a temporary file in the /tmp directory.",
"id": "GHSA-qhfc-5xch-pg48",
"modified": "2022-05-02T06:12:38Z",
"published": "2022-05-02T06:12:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-0424"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=565809"
},
{
"type": "WEB",
"url": "http://git.fedorahosted.org/git/cronie.git?p=cronie.git%3Ba=commit%3Bh=9e4a8fa5f9171fb724981f53879c9b20264aeb61"
},
{
"type": "WEB",
"url": "http://git.fedorahosted.org/git/cronie.git?p=cronie.git;a=commit;h=9e4a8fa5f9171fb724981f53879c9b20264aeb61"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035762.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/38700"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/38741"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/48104"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/38391"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QHPV-F2H3-4MH8
Vulnerability from github – Published: 2022-05-17 01:07 – Updated: 2022-05-17 01:07Argument injection vulnerability in devscripts before 2.15.7 allows remote attackers to write to arbitrary files via a crafted symlink and crafted filename.
{
"affected": [],
"aliases": [
"CVE-2015-5705"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-06T21:29:00Z",
"severity": "HIGH"
},
"details": "Argument injection vulnerability in devscripts before 2.15.7 allows remote attackers to write to arbitrary files via a crafted symlink and crafted filename.",
"id": "GHSA-qhpv-f2h3-4mh8",
"modified": "2022-05-17T01:07:23Z",
"published": "2022-05-17T01:07:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5705"
},
{
"type": "WEB",
"url": "https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=d8f8fa1d8e4151fa62997cb74403f97ab0d7e1a2"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794260"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1249645"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163705.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163710.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/08/01/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QJ42-4Q8C-3R9V
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10There is an information leak vulnerability in the digital media player (DMS) of ZTE's residential gateway product. The attacker could insert the USB disk with the symbolic link into the residential gateway, and access unauthorized directory information through the symbolic link, causing information leak.
{
"affected": [],
"aliases": [
"CVE-2021-21740"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-09T16:15:00Z",
"severity": "LOW"
},
"details": "There is an information leak vulnerability in the digital media player (DMS) of ZTE\u0027s residential gateway product. The attacker could insert the USB disk with the symbolic link into the residential gateway, and access unauthorized directory information through the symbolic link, causing information leak.",
"id": "GHSA-qj42-4q8c-3r9v",
"modified": "2022-05-24T19:10:26Z",
"published": "2022-05-24T19:10:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21740"
},
{
"type": "WEB",
"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1017244"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QJ96-83MW-F2RW
Vulnerability from github – Published: 2022-11-02 12:00 – Updated: 2022-11-02 19:00This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted DMG file may lead to arbitrary code execution with system privileges.
{
"affected": [],
"aliases": [
"CVE-2022-32905"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-01T20:15:00Z",
"severity": "HIGH"
},
"details": "This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted DMG file may lead to arbitrary code execution with system privileges.",
"id": "GHSA-qj96-83mw-f2rw",
"modified": "2022-11-02T19:00:23Z",
"published": "2022-11-02T12:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32905"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213488"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QJC9-F8HG-MV2P
Vulnerability from github – Published: 2025-12-02 21:31 – Updated: 2025-12-02 21:31JumpCloud Remote Assist for Windows versions prior to 0.317.0 include an uninstaller that is invoked by the JumpCloud Windows Agent as NT AUTHORITY\SYSTEM during agent uninstall or update operations. The Remote Assist uninstaller performs privileged create, write, execute, and delete actions on predictable files inside a user-writable %TEMP% subdirectory without validating that the directory is trusted or resetting its ACLs when it already exists. A local, low-privileged attacker can pre-create the directory with weak permissions and leverage mount-point or symbolic-link redirection to (a) coerce arbitrary file writes to protected locations, leading to denial of service (e.g., by overwriting sensitive system files), or (b) win a race to redirect DeleteFileW() to attacker-chosen targets, enabling arbitrary file or folder deletion and local privilege escalation to SYSTEM. This issue is fixed in JumpCloud Remote Assist 0.317.0 and affects Windows systems where Remote Assist is installed and managed through the Agent lifecycle.
{
"affected": [],
"aliases": [
"CVE-2025-34352"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-02T19:15:49Z",
"severity": "HIGH"
},
"details": "JumpCloud Remote Assist for Windows versions prior to 0.317.0 include an uninstaller that is invoked by the JumpCloud Windows Agent as NT AUTHORITY\\SYSTEM during agent uninstall or update operations. The Remote Assist uninstaller performs privileged create, write, execute, and delete actions on predictable files inside a user-writable %TEMP% subdirectory without validating that the directory is trusted or resetting its ACLs when it already exists. A local, low-privileged attacker can pre-create the directory with weak permissions and leverage mount-point or symbolic-link redirection to (a) coerce arbitrary file writes to protected locations, leading to denial of service (e.g., by overwriting sensitive system files), or (b) win a race to redirect DeleteFileW() to attacker-chosen targets, enabling arbitrary file or folder deletion and local privilege escalation to SYSTEM. This issue is fixed in JumpCloud Remote Assist 0.317.0 and affects Windows systems where Remote Assist is installed and managed through the Agent lifecycle.",
"id": "GHSA-qjc9-f8hg-mv2p",
"modified": "2025-12-02T21:31:29Z",
"published": "2025-12-02T21:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34352"
},
{
"type": "WEB",
"url": "https://jumpcloud.com/platform/remote-assistance"
},
{
"type": "WEB",
"url": "https://jumpcloud.com/support/list-of-jumpcloud-agent-release-notes"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/jumpcloud-remote-assist-arbitrary-file-write-delete-via-insecure-temp-directory"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QJQ3-WQJ5-G37Q
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-07-01 19:26Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries.
This allows attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.
Pipeline: Groovy Libraries Plugin 798.v5cc688825312 prohibits symbolic links in shared libraries.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.jenkins.plugins:pipeline-groovy-lib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "798.v5cc688825312"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48921"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-01T19:26:57Z",
"nvd_published_at": "2026-05-27T15:16:31Z",
"severity": "HIGH"
},
"details": "Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries.\n\nThis allows attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.\n\nPipeline: Groovy Libraries Plugin 798.v5cc688825312 prohibits symbolic links in shared libraries.",
"id": "GHSA-qjq3-wqj5-g37q",
"modified": "2026-07-01T19:26:57Z",
"published": "2026-05-27T15:33:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48921"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/pipeline-groovy-lib-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3727"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Pipeline: Groovy Libraries Plugin does not prohibit symbolic links in shared libraries"
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.