Common Weakness Enumeration

CWE-23

Allowed

Relative Path Traversal

Abstraction: Base · Status: Draft

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

778 vulnerabilities reference this CWE, most recent first.

GHSA-CCJ3-7F9Q-8JW9

Vulnerability from github – Published: 2024-03-14 06:32 – Updated: 2024-08-09 00:31
VLAI
Details

An improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in SonicWall Email Security Appliance could allow a remote attacker with administrative privileges to conduct a directory traversal attack and delete arbitrary files from the appliance file system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22398"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-14T04:15:09Z",
    "severity": "MODERATE"
  },
  "details": "An improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in SonicWall Email Security Appliance could allow a remote attacker with administrative privileges to conduct a directory traversal attack and delete arbitrary files from the appliance file system.",
  "id": "GHSA-ccj3-7f9q-8jw9",
  "modified": "2024-08-09T00:31:19Z",
  "published": "2024-03-14T06:32:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22398"
    },
    {
      "type": "WEB",
      "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0006"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CCV4-2JXQ-JJPM

Vulnerability from github – Published: 2022-05-25 00:00 – Updated: 2022-06-08 00:00
VLAI
Details

The AGG Software Web Server version 4.0.40.1014 and prior is vulnerable to a path traversal attack, which may allow an attacker to read arbitrary files from the file system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-32964"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-24T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The AGG Software Web Server version 4.0.40.1014 and prior is vulnerable to a path traversal attack, which may allow an attacker to read arbitrary files from the file system.",
  "id": "GHSA-ccv4-2jxq-jjpm",
  "modified": "2022-06-08T00:00:33Z",
  "published": "2022-05-25T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32964"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-161-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CCVR-7M85-7G88

Vulnerability from github – Published: 2022-12-23 21:30 – Updated: 2023-01-04 18:30
VLAI
Details

AVEVA InTouch Access Anywhere versions 2020 R2 and older are vulnerable to a path traversal exploit that could allow an unauthenticated user with network access to read files on the system outside of the secure gateway web server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-23854"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-23T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "AVEVA InTouch Access Anywhere versions 2020 R2 and older are vulnerable to a path traversal exploit that could allow an unauthenticated user with network access to read files on the system outside of the secure gateway web server.",
  "id": "GHSA-ccvr-7m85-7g88",
  "modified": "2023-01-04T18:30:59Z",
  "published": "2022-12-23T21:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23854"
    },
    {
      "type": "WEB",
      "url": "https://crisec.de/advisory-aveva-intouch-access-anywhere-secure-gateway-path-traversal"
    },
    {
      "type": "WEB",
      "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2023-001_r.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-342-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CF86-3F4J-57G9

Vulnerability from github – Published: 2026-05-29 12:31 – Updated: 2026-06-01 21:30
VLAI
Details

Nozomi Networks Labs identified a CWE-23: Relative Path Traversal (Zip Slip) in Waterfall WF-500 RX Host in version 7.9.1.0 R2502171040 that allows attackers with access to the TX Host to execute code on the RX Host when a MySQL connector is configured and file compression is enabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-29T12:16:24Z",
    "severity": "HIGH"
  },
  "details": "Nozomi Networks Labs identified a CWE-23: Relative Path Traversal (Zip Slip) in Waterfall WF-500 RX Host in version 7.9.1.0 R2502171040 that allows attackers with access to the TX Host to execute code on the RX Host when a MySQL connector is configured and file compression is enabled.",
  "id": "GHSA-cf86-3f4j-57g9",
  "modified": "2026-06-01T21:30:41Z",
  "published": "2026-05-29T12:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41280"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41280"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CGM7-R9P7-VV73

Vulnerability from github – Published: 2025-04-02 09:30 – Updated: 2025-04-02 09:30
VLAI
Details

A relative path traversal in Fortinet FortiSIEM versions 7.0.0, 6.7.0 through 6.7.2, 6.6.0 through 6.6.3, 6.5.1, 6.5.0 allows attacker to escalate privilege via uploading certain GUI elements

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-40714"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-02T08:15:13Z",
    "severity": "CRITICAL"
  },
  "details": "A relative path traversal in Fortinet FortiSIEM versions 7.0.0, 6.7.0 through 6.7.2, 6.6.0 through 6.6.3, 6.5.1, 6.5.0 allows attacker to escalate privilege via uploading certain GUI elements",
  "id": "GHSA-cgm7-r9p7-vv73",
  "modified": "2025-04-02T09:30:33Z",
  "published": "2025-04-02T09:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40714"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-23-085"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CHJ8-M2C2-F36W

Vulnerability from github – Published: 2023-11-27 03:32 – Updated: 2023-11-27 03:32
VLAI
Details

A vulnerability classified as critical was found in jeecgboot JimuReport up to 1.6.1. Affected by this vulnerability is an unknown functionality of the file /download/image. The manipulation of the argument imageUrl leads to relative path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-246133 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-27T02:15:42Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as critical was found in jeecgboot JimuReport up to 1.6.1. Affected by this vulnerability is an unknown functionality of the file /download/image. The manipulation of the argument imageUrl leads to relative path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-246133 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-chj8-m2c2-f36w",
  "modified": "2023-11-27T03:32:09Z",
  "published": "2023-11-27T03:32:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6307"
    },
    {
      "type": "WEB",
      "url": "https://github.com/N0b1e6/exp/blob/main/README.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.246133"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.246133"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CHXM-RFR8-CF28

Vulnerability from github – Published: 2025-07-08 18:31 – Updated: 2025-07-08 18:31
VLAI
Details

Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48817"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-08T17:15:45Z",
    "severity": "HIGH"
  },
  "details": "Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network.",
  "id": "GHSA-chxm-rfr8-cf28",
  "modified": "2025-07-08T18:31:45Z",
  "published": "2025-07-08T18:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48817"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-48817"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CPQ8-GJRV-H7MR

Vulnerability from github – Published: 2024-12-23 00:30 – Updated: 2024-12-24 18:30
VLAI
Details

A vulnerability was found in Intelbras VIP S3020 G2, VIP S4020 G2, VIP S4020 G3 and VIP S4320 G2 up to 20241222. It has been classified as critical. This affects an unknown part of the file ../mtd/Config/Sha1Account1 of the component Web Interface. The manipulation leads to path traversal: '../filedir'. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12897"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-23T00:15:04Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Intelbras VIP S3020 G2, VIP S4020 G2, VIP S4020 G3 and VIP S4320 G2 up to 20241222. It has been classified as critical. This affects an unknown part of the file ../mtd/Config/Sha1Account1 of the component Web Interface. The manipulation leads to path traversal: \u0027../filedir\u0027. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-cpq8-gjrv-h7mr",
  "modified": "2024-12-24T18:30:49Z",
  "published": "2024-12-23T00:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12897"
    },
    {
      "type": "WEB",
      "url": "https://netsecfish.notion.site/Path-Traversal-Vulnerability-in-IntelBras-IP-Cameras-mtd-Config-Sha1Account1-and-mtd-Confi-15e6b683e67c80809442ee3425f753b7"
    },
    {
      "type": "WEB",
      "url": "https://netsecfish.notion.site/Path-Traversal-Vulnerability-in-IntelBras-IP-Cameras-mtd-Config-Sha1Account1-and-mtd-Confi-15e6b683e67c80809442ee3425f753b7?pvs=4"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.289167"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.289167"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.464260"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CQ37-G2QP-3C2P

Vulnerability from github – Published: 2025-06-04 23:54 – Updated: 2025-06-27 22:09
VLAI
Summary
AstrBot Has Path Traversal Vulnerability in /api/chat/get_file
Details

Impact

This vulnerability may lead to:

  • Information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data.

Reproduce

Follow these steps to set up a test environment for reproducing the vulnerability:

  1. Install dependencies and clone the repository:

bash pip install uv git clone https://github.com/AstrBotDevs/AstrBot && cd AstrBot uv run main.py

  1. Alternatively, deploy the program via pip:

bash mkdir astrbot && cd astrbot uvx astrbot init uvx astrbot run

  1. In another terminal, run the following command to exploit the vulnerability:

bash curl -L http://0.0.0.0:6185/api/chat/get_file?filename=../../../data/cmd_config.json

This request will read the cmd_config.json config file, leading to the leakage of sensitive data such as LLM API keys, usernames, and password hashes (MD5).

Patches

The vulnerability has been addressed in Pull Request #1676 and is included in versions >= v3.5.13. All users are strongly encouraged to upgrade to v3.5.13 or later.

Workarounds

Users can edit the cmd_config.json file to disable the dashboard feature as a temporary workaround. However, it is strongly recommended to upgrade to version v3.5.13 or later as soon as possible to fully resolve this issue.

References

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.5.12"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "astrbot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.4.4"
            },
            {
              "fixed": "3.5.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48957"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-04T23:54:35Z",
    "nvd_published_at": "2025-06-02T12:15:25Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThis vulnerability may lead to:\n\n* Information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data.\n\n### Reproduce\n\nFollow these steps to set up a test environment for reproducing the vulnerability:\n\n1. Install dependencies and clone the repository:\n\n   ```bash\n   pip install uv\n   git clone https://github.com/AstrBotDevs/AstrBot \u0026\u0026 cd AstrBot\n   uv run main.py\n   ```\n\n2. Alternatively, deploy the program via pip:\n\n   ```bash\n   mkdir astrbot \u0026\u0026 cd astrbot\n   uvx astrbot init\n   uvx astrbot run\n   ```\n\n3. In another terminal, run the following command to exploit the vulnerability:\n\n   ```bash\n   curl -L http://0.0.0.0:6185/api/chat/get_file?filename=../../../data/cmd_config.json\n   ```\n\nThis request will read the `cmd_config.json` config file, leading to the leakage of sensitive data such as LLM API keys, usernames, and password hashes (MD5).\n\n### Patches\n\nThe vulnerability has been addressed in [Pull Request #1676](https://github.com/AstrBotDevs/AstrBot/pull/1676) and is included in versions \u003e= v3.5.13. All users are strongly encouraged to upgrade to v3.5.13 or later.\n\n### Workarounds\nUsers can edit the cmd_config.json file to disable the dashboard feature as a temporary workaround. However, it is strongly recommended to upgrade to version v3.5.13 or later as soon as possible to fully resolve this issue.\n\n### References\n\n* [Pull Request #1676](https://github.com/AstrBotDevs/AstrBot/pull/1676)\n* [Issue #1675](https://github.com/AstrBotDevs/AstrBot/issues/1675)",
  "id": "GHSA-cq37-g2qp-3c2p",
  "modified": "2025-06-27T22:09:44Z",
  "published": "2025-06-04T23:54:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-cq37-g2qp-3c2p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48957"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AstrBotDevs/AstrBot/issues/1675"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AstrBotDevs/AstrBot/pull/1676"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AstrBotDevs/AstrBot/commit/cceadf222c46813c7f41115b40d371e7eb91e492"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AstrBotDevs/AstrBot"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-48957-detect-astrbot-dashboard-vulnerability?prevUrl=wizard"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-48957-mitigate-astrbot-dashboard-vulnerability?prevUrl=wizard"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AstrBot Has Path Traversal Vulnerability in /api/chat/get_file"
}

GHSA-CVRH-QGGV-7GF8

Vulnerability from github – Published: 2025-10-07 21:31 – Updated: 2025-10-07 21:31
VLAI
Details

In Ankitects Anki before 25.02.6, crafted sound file references could cause files to be written to arbitrary locations on Windows and Linux (media file pathnames are not necessarily relative to the media folder).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-62187"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-07T21:15:39Z",
    "severity": "LOW"
  },
  "details": "In Ankitects Anki before 25.02.6, crafted sound file references could cause files to be written to arbitrary locations on Windows and Linux (media file pathnames are not necessarily relative to the media folder).",
  "id": "GHSA-cvrh-qggv-7gf8",
  "modified": "2025-10-07T21:31:08Z",
  "published": "2025-10-07T21:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62187"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ankitects/anki/pull/4041"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ankitects/anki/pull/4041/commits/51476e05b281737a0c2924342bccdb6e5be52ea9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ankitects/anki/releases/tag/25.02.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20.1
Implementation

Strategy: Input Validation

  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
  • Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
  • realpath() in C
  • getCanonicalPath() in Java
  • GetFullPath() in ASP.NET
  • realpath() or abs_path() in Perl
  • realpath() in PHP
Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-139: Relative Path Traversal

An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.