Common Weakness Enumeration

CWE-23

Allowed

Relative Path Traversal

Abstraction: Base · Status: Draft

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

778 vulnerabilities reference this CWE, most recent first.

GHSA-R464-PWQP-F636

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Relative path traversal in Windows User Interface Core allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-50454"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T18:17:50Z",
    "severity": "HIGH"
  },
  "details": "Relative path traversal in Windows User Interface Core allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-r464-pwqp-f636",
  "modified": "2026-07-14T18:32:24Z",
  "published": "2026-07-14T18:32:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50454"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50454"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R4FG-94JJ-WP5G

Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2024-10-08 18:33
VLAI
Details

In JetBrains TeamCity before 2024.07.3 path traversal leading to information disclosure was possible via server backups

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47948"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-08T16:15:12Z",
    "severity": "MODERATE"
  },
  "details": "In JetBrains TeamCity before 2024.07.3 path traversal leading to information disclosure was possible via server backups",
  "id": "GHSA-r4fg-94jj-wp5g",
  "modified": "2024-10-08T18:33:13Z",
  "published": "2024-10-08T18:33:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47948"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R533-5559-J96C

Vulnerability from github – Published: 2023-06-13 09:30 – Updated: 2024-04-04 04:45
VLAI
Details

A relative path traversal vulnerability [CWE-23] in Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.9 and before 6.4.12, FortiProxy version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.7, FortiSwitchManager version 7.2.0 through 7.2.1 and before 7.0.1 allows an privileged attacker to delete arbitrary directories from the filesystem through crafted HTTP requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42474"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-13T09:15:15Z",
    "severity": "LOW"
  },
  "details": "A relative path traversal vulnerability [CWE-23] in Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.9 and before 6.4.12, FortiProxy version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.7, FortiSwitchManager version 7.2.0 through 7.2.1 and before 7.0.1 allows an privileged attacker to delete arbitrary directories from the filesystem through crafted HTTP requests.",
  "id": "GHSA-r533-5559-j96c",
  "modified": "2024-04-04T04:45:21Z",
  "published": "2023-06-13T09:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42474"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-22-393"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R628-MHMH-QJHW

Vulnerability from github – Published: 2021-08-03 19:00 – Updated: 2023-03-09 16:44
VLAI
Summary
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
Details

Impact

Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution

node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.

This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the node-tar directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where node-tar checks for symlinks occur.

By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.

This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.

Patches

3.2.3 || 4.4.15 || 5.0.7 || 6.1.2

Workarounds

Users may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.

const tar = require('tar')

tar.x({
  file: 'archive.tgz',
  filter: (file, entry) => {
    if (entry.type === 'SymbolicLink') {
      return false
    } else {
      return true
    }
  }
})

Users are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "tar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "tar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.4.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "tar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "tar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-03T18:59:57Z",
    "nvd_published_at": "2021-08-03T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\n`node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks.  Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created.\n\nThis logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur.\n\nBy first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.\n\nThis issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.\n\n### Patches\n\n3.2.3 || 4.4.15 || 5.0.7 || 6.1.2\n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom `filter` method which prevents the extraction of symbolic links.\n\n```js\nconst tar = require(\u0027tar\u0027)\n\ntar.x({\n  file: \u0027archive.tgz\u0027,\n  filter: (file, entry) =\u003e {\n    if (entry.type === \u0027SymbolicLink\u0027) {\n      return false\n    } else {\n      return true\n    }\n  }\n})\n```\n\nUsers are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.",
  "id": "GHSA-r628-mhmh-qjhw",
  "modified": "2023-03-09T16:44:57Z",
  "published": "2021-08-03T19:00:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32803"
    },
    {
      "type": "WEB",
      "url": "https://github.com/isaacs/node-tar/commit/46fe35083e2676e31c4e0a81639dce6da7aaa356"
    },
    {
      "type": "WEB",
      "url": "https://github.com/isaacs/node-tar/commit/5987d9a41f6bfbf1ddab1098e1fdcf1a5618f571"
    },
    {
      "type": "WEB",
      "url": "https://github.com/isaacs/node-tar/commit/85d3a942b4064e4ff171f91696fced7975167349"
    },
    {
      "type": "WEB",
      "url": "https://github.com/isaacs/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20"
    },
    {
      "type": "WEB",
      "url": "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/isaacs/node-tar"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1771"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/tar"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning"
}

GHSA-R7FG-5R7H-546P

Vulnerability from github – Published: 2025-11-15 12:30 – Updated: 2025-11-15 12:30
VLAI
Details

A vulnerability was found in code-projects Email Logging Interface 2.0. Affected is an unknown function of the file signup.cpp. The manipulation of the argument Username results in path traversal: '../filedir'. The attack is only possible with local access. The exploit has been made public and could be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13199"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-15T11:15:55Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in code-projects Email Logging Interface 2.0. Affected is an unknown function of the file signup.cpp. The manipulation of the argument Username results in path traversal: \u0027../filedir\u0027. The attack is only possible with local access. The exploit has been made public and could be used.",
  "id": "GHSA-r7fg-5r7h-546p",
  "modified": "2025-11-15T12:30:26Z",
  "published": "2025-11-15T12:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13199"
    },
    {
      "type": "WEB",
      "url": "https://code-projects.org"
    },
    {
      "type": "WEB",
      "url": "https://github.com/asd1238525/cve/blob/main/Dir1c.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/asd1238525/cve/blob/main/Dir1c.md#poc"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.332497"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.332497"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.685549"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-R7Q6-6FMQ-MX4C

Vulnerability from github – Published: 2025-07-18 15:31 – Updated: 2025-07-20 16:44
VLAI
Summary
Filemanager is vulnerable to Relative Path Traversal through filemanager.php
Details

An issue in Filemanager v2.5.0 and below allows attackers to execute a directory traversal via sending a crafted HTTP request to the filemanager.php endpoint.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "simogeo/filemanager"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-46002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-20T16:44:46Z",
    "nvd_published_at": "2025-07-18T14:15:24Z",
    "severity": "MODERATE"
  },
  "details": "An issue in Filemanager v2.5.0 and below allows attackers to execute a directory traversal via sending a crafted HTTP request to the filemanager.php endpoint.",
  "id": "GHSA-r7q6-6fmq-mx4c",
  "modified": "2025-07-20T16:44:46Z",
  "published": "2025-07-18T15:31:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46002"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/simogeo/Filemanager"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simogeo/Filemanager/releases/tag/v1.7.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simogeo/Filemanager/releases/tag/v1.8.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simogeo/Filemanager/releases/tag/v2.0.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simogeo/Filemanager/releases/tag/v2.1.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simogeo/Filemanager/releases/tag/v2.2.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simogeo/Filemanager/releases/tag/v2.3.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zakumini/CVE-List/blob/main/CVE-2025-46002/CVE-2025-46002.md"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/38945"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Filemanager is vulnerable to Relative Path Traversal through filemanager.php"
}

GHSA-RF45-5QVX-8PC5

Vulnerability from github – Published: 2024-12-12 03:33 – Updated: 2024-12-12 03:33
VLAI
Details

A vulnerability was found in cjbi wetech-cms 1.0/1.1/1.2. It has been rated as problematic. Affected by this issue is the function backup of the file wetech-cms-master\wetech-basic-common\src\main\java\tech\wetech\basic\util\BackupFileUtil.java of the component Database Backup Handler. The manipulation of the argument name leads to path traversal: '../filedir'. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12482"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-12T01:40:29Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in cjbi wetech-cms 1.0/1.1/1.2. It has been rated as problematic. Affected by this issue is the function backup of the file wetech-cms-master\\wetech-basic-common\\src\\main\\java\\tech\\wetech\\basic\\util\\BackupFileUtil.java of the component Database Backup Handler. The manipulation of the argument name leads to path traversal: \u0027../filedir\u0027. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-rf45-5qvx-8pc5",
  "modified": "2024-12-12T03:33:03Z",
  "published": "2024-12-12T03:33:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12482"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hadagaga/vuln/blob/master/wetech-cms/Catalog_penetration/Catalog_penetration.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.287864"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.287864"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.458853"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RJ4J-2JPH-GG43

Vulnerability from github – Published: 2025-11-24 23:31 – Updated: 2025-11-27 08:40
VLAI
Summary
LF Edge eKuiper is vulnerable to Arbitrary File Read/Write via unsanitized names and zip extraction
Details

Summary

Multiple path traversal and unsafe path handling vulnerabilities were discovered in eKuiper prior to the fixes implemented in PR lf-edge/ekuiper#3911. The issues allow attacker-controlled input (rule names, schema versions, plugin names, uploaded file names, and ZIP entries) to influence file system paths used by the application. In vulnerable deployments, this can permit files to be created, overwritten, or extracted outside the intended directories, potentially enabling disclosure of sensitive files, tampering with configuration or plugin binaries, denial of service, or other host compromise scenarios.

Several components used unvalidated user input when constructing filesystem paths or when extracting archives. In each case, input was accepted and used directly in path operations (join, create, delete, extract) without sufficient sanitization or canonicalization, allowing the input to include path separators, .. segments, or absolute paths.

Impact

Arbitrary file overwrite / deletion: attackers could overwrite or delete files outside the intended directory, which can corrupt application data, remove logs, or disable services.

Resources

  • https://github.com/lf-edge/ekuiper/commit/58362b089c76f08c400fe0dbb3667e6e871eaffd
  • https://github.com/lf-edge/ekuiper/pull/3911
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lf-edge/ekuiper/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-24T23:31:39Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\nMultiple path traversal and unsafe path handling vulnerabilities were discovered in eKuiper prior to the fixes implemented in PR [lf-edge/ekuiper#3911](https://github.com/lf-edge/ekuiper/pull/3911). The issues allow attacker-controlled input (rule names, schema versions, plugin names, uploaded file names, and ZIP entries) to influence file system paths used by the application. In vulnerable deployments, this can permit files to be created, overwritten, or extracted outside the intended directories, potentially enabling disclosure of sensitive files, tampering with configuration or plugin binaries, denial of service, or other host compromise scenarios.\n\nSeveral components used unvalidated user input when constructing filesystem paths or when extracting archives. In each case, input was accepted and used directly in path operations (join, create, delete, extract) without sufficient sanitization or canonicalization, allowing the input to include path separators, `..` segments, or absolute paths.\n\n### Impact\n**Arbitrary file overwrite / deletion:** attackers could overwrite or delete files outside the intended directory, which can corrupt application data, remove logs, or disable services.\n\n### Resources\n- https://github.com/lf-edge/ekuiper/commit/58362b089c76f08c400fe0dbb3667e6e871eaffd\n- https://github.com/lf-edge/ekuiper/pull/3911",
  "id": "GHSA-rj4j-2jph-gg43",
  "modified": "2025-11-27T08:40:42Z",
  "published": "2025-11-24T23:31:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-rj4j-2jph-gg43"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/ekuiper/pull/3911"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/ekuiper/commit/58362b089c76f08c400fe0dbb3667e6e871eaffd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lf-edge/ekuiper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "LF Edge eKuiper is vulnerable to Arbitrary File Read/Write via unsanitized names and zip extraction"
}

GHSA-RP2V-V467-Q9VQ

Vulnerability from github – Published: 2022-12-02 22:25 – Updated: 2024-11-18 16:26
VLAI
Summary
GuardDog vulnerable to arbitrary file write when scanning a specially-crafted PyPI package
Details

Impact

Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed.

This is due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. See also https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall

Remediation

Upgrade to GuardDog v0.1.5 or more recent.

References

  • https://semgrep.dev/r?q=trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal
  • https://www.trellix.com/en-us/about/newsroom/stories/research/tarfile-exploiting-the-world.html
  • https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "guarddog"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23531"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-02T22:25:25Z",
    "nvd_published_at": "2022-12-17T00:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nRunning GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed.\n\nThis is due to a path traversal vulnerability when extracting the `.tar.gz` file of the package being scanned, which exists by design in the `tarfile.TarFile.extractall` function. See also https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall\n\n### Remediation\n\nUpgrade to GuardDog v0.1.5 or more recent.\n\n### References\n\n* https://semgrep.dev/r?q=trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal\n* https://www.trellix.com/en-us/about/newsroom/stories/research/tarfile-exploiting-the-world.html\n* https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall\n",
  "id": "GHSA-rp2v-v467-q9vq",
  "modified": "2024-11-18T16:26:28Z",
  "published": "2022-12-02T22:25:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/DataDog/guarddog/security/advisories/GHSA-rp2v-v467-q9vq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23531"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DataDog/guarddog/pull/89"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DataDog/guarddog/commit/98af5c8c1e9c15fa888c900252e76116b0ec25d1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/DataDog/guarddog"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DataDog/guarddog/releases/tag/v0.1.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/guarddog/PYSEC-2022-42994.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "GuardDog vulnerable to arbitrary file write when scanning a specially-crafted PyPI package"
}

GHSA-RPRG-4V7Q-87V7

Vulnerability from github – Published: 2022-12-08 18:30 – Updated: 2024-05-20 21:38
VLAI
Summary
Buildah (as part of Podman) vulnerable to Path Traversal
Details

A flaw was found in Buildah. The local path and the lowest subdirectory may be disclosed due to incorrect absolute path traversal, resulting in an impact to confidentiality.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containers/podman/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0-rc1"
            },
            {
              "last_affected": "4.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-4123"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-08T23:59:57Z",
    "nvd_published_at": "2022-12-08T16:15:00Z",
    "severity": "LOW"
  },
  "details": "A flaw was found in Buildah. The local path and the lowest subdirectory may be disclosed due to incorrect absolute path traversal, resulting in an impact to confidentiality.",
  "id": "GHSA-rprg-4v7q-87v7",
  "modified": "2024-05-20T21:38:32Z",
  "published": "2022-12-08T18:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4123"
    },
    {
      "type": "WEB",
      "url": "https://github.com/containers/podman/issues/13293"
    },
    {
      "type": "WEB",
      "url": "https://github.com/containers/podman/pull/13531"
    },
    {
      "type": "WEB",
      "url": "https://github.com/containers/podman/commit/7934b77dd5372c22063686a218b8b48c2fcaca8c"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144989"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/containers/podman"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-1159"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Buildah (as part of Podman) vulnerable to Path Traversal"
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20.1
Implementation

Strategy: Input Validation

  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
  • Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
  • realpath() in C
  • getCanonicalPath() in Java
  • GetFullPath() in ASP.NET
  • realpath() or abs_path() in Perl
  • realpath() in PHP
Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-139: Relative Path Traversal

An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.