CWE-29
AllowedPath Traversal: '\..\filename'
Abstraction: Variant · Status: Incomplete
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.
127 vulnerabilities reference this CWE, most recent first.
GHSA-233R-PC37-VPF7
Vulnerability from github – Published: 2024-05-16 09:33 – Updated: 2024-05-16 09:33A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-supplied input. Specifically, the issue resides in the install_model() function within lollms_core/lollms/binding.py, where the application fails to properly sanitize the file:// protocol and other inputs, leading to arbitrary read and upload capabilities. Attackers can exploit this vulnerability by manipulating the path and variant_name parameters to achieve path traversal, allowing for the reading of arbitrary files and uploading files to arbitrary locations on the server. This vulnerability affects the latest version of parisneo/lollms-webui.
{
"affected": [],
"aliases": [
"CVE-2024-2361"
],
"database_specific": {
"cwe_ids": [
"CWE-29"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-16T09:15:10Z",
"severity": "CRITICAL"
},
"details": "A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-supplied input. Specifically, the issue resides in the `install_model()` function within `lollms_core/lollms/binding.py`, where the application fails to properly sanitize the `file://` protocol and other inputs, leading to arbitrary read and upload capabilities. Attackers can exploit this vulnerability by manipulating the `path` and `variant_name` parameters to achieve path traversal, allowing for the reading of arbitrary files and uploading files to arbitrary locations on the server. This vulnerability affects the latest version of parisneo/lollms-webui.",
"id": "GHSA-233r-pc37-vpf7",
"modified": "2024-05-16T09:33:07Z",
"published": "2024-05-16T09:33:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2361"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/cd383817-924a-445a-838e-d0c867c6a176"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2RHQ-96Q8-4VJQ
Vulnerability from github – Published: 2025-07-07 15:30 – Updated: 2025-07-08 18:49A path traversal vulnerability exists in run-llama/llama_index versions 0.11.23 through 0.12.40, specifically within the encode_image function in generic_utils.py. This vulnerability allows an attacker to manipulate the image_path input to read arbitrary files on the server, including sensitive system files. The issue arises due to improper validation or sanitization of the file path, enabling path traversal sequences to access files outside the intended directory. The vulnerability is fixed in version 0.12.41.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "llama-index-core"
},
"ranges": [
{
"events": [
{
"introduced": "0.11.23"
},
{
"fixed": "0.12.41"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-6209"
],
"database_specific": {
"cwe_ids": [
"CWE-29"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-08T18:26:03Z",
"nvd_published_at": "2025-07-07T13:15:28Z",
"severity": "HIGH"
},
"details": "A path traversal vulnerability exists in run-llama/llama_index versions 0.11.23 through 0.12.40, specifically within the `encode_image` function in `generic_utils.py`. This vulnerability allows an attacker to manipulate the `image_path` input to read arbitrary files on the server, including sensitive system files. The issue arises due to improper validation or sanitization of the file path, enabling path traversal sequences to access files outside the intended directory. The vulnerability is fixed in version 0.12.41.",
"id": "GHSA-2rhq-96q8-4vjq",
"modified": "2025-07-08T18:49:14Z",
"published": "2025-07-07T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6209"
},
{
"type": "WEB",
"url": "https://github.com/run-llama/llama_index/commit/cdeaab91a204d1c3527f177dac37390327aef274"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2025-65.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/run-llama/llama_index"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/e89d14f8-bfe8-4c9a-bb2a-656c01cc9a68"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "LlamaIndex vulnerable to Path Traversal attack through its encode_image function"
}
GHSA-3593-XF56-F85V
Vulnerability from github – Published: 2026-04-07 15:30 – Updated: 2026-04-07 15:30A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the AgentFlows component. The vulnerability arises from improper handling of user input in the loadFlow and deleteFlow methods in server/utils/agentFlows/index.js. Specifically, the combination of path.join and normalizePath allows attackers to bypass directory restrictions and access or delete arbitrary .json files on the server. This can lead to information disclosure, such as leaking sensitive configuration files containing API keys, or denial of service by deleting critical files like package.json. The issue is resolved in version 1.12.1.
{
"affected": [],
"aliases": [
"CVE-2026-5627"
],
"database_specific": {
"cwe_ids": [
"CWE-29"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-07T14:16:24Z",
"severity": "CRITICAL"
},
"details": "A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the `AgentFlows` component. The vulnerability arises from improper handling of user input in the `loadFlow` and `deleteFlow` methods in `server/utils/agentFlows/index.js`. Specifically, the combination of `path.join` and `normalizePath` allows attackers to bypass directory restrictions and access or delete arbitrary `.json` files on the server. This can lead to information disclosure, such as leaking sensitive configuration files containing API keys, or denial of service by deleting critical files like `package.json`. The issue is resolved in version 1.12.1.",
"id": "GHSA-3593-xf56-f85v",
"modified": "2026-04-07T15:30:51Z",
"published": "2026-04-07T15:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5627"
},
{
"type": "WEB",
"url": "https://github.com/mintplex-labs/anything-llm/commit/3444b9b0aa6764d72d53670ab4b1aaccdc6b7017"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/597d41c5-7ea0-4786-80f4-bd536ec66374"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3MMF-6WP6-5HFJ
Vulnerability from github – Published: 2023-02-25 03:30 – Updated: 2023-03-06 18:30Path Traversal: '..\filename' in GitHub repository salesagility/suitecrm prior to 7.12.9.
{
"affected": [],
"aliases": [
"CVE-2023-1034"
],
"database_specific": {
"cwe_ids": [
"CWE-29"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-25T02:15:00Z",
"severity": "HIGH"
},
"details": "Path Traversal: \u0027\\..\\filename\u0027 in GitHub repository salesagility/suitecrm prior to 7.12.9.",
"id": "GHSA-3mmf-6wp6-5hfj",
"modified": "2023-03-06T18:30:22Z",
"published": "2023-02-25T03:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1034"
},
{
"type": "WEB",
"url": "https://github.com/salesagility/suitecrm/commit/c19f221a41706efc8d73cef95c5e362c4f86bf06"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/0c1365bc-8d9a-4ae0-8b55-615d492b3730"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3P9Q-7W63-3F8Q
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-21 17:30In version 0.3.8 of open-webui/open-webui, an arbitrary file write vulnerability exists in the download_model endpoint. When deployed on Windows, the application improperly handles file paths, allowing an attacker to manipulate the file path to write files to arbitrary locations on the server's filesystem. This can result in overwriting critical system or application files, causing denial of service, or potentially achieving remote code execution (RCE). RCE can allow an attacker to execute malicious code with the privileges of the user running the application, leading to a full system compromise.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-7033"
],
"database_specific": {
"cwe_ids": [
"CWE-29"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-21T17:30:18Z",
"nvd_published_at": "2025-03-20T10:15:34Z",
"severity": "MODERATE"
},
"details": "In version 0.3.8 of open-webui/open-webui, an arbitrary file write vulnerability exists in the download_model endpoint. When deployed on Windows, the application improperly handles file paths, allowing an attacker to manipulate the file path to write files to arbitrary locations on the server\u0027s filesystem. This can result in overwriting critical system or application files, causing denial of service, or potentially achieving remote code execution (RCE). RCE can allow an attacker to execute malicious code with the privileges of the user running the application, leading to a full system compromise.",
"id": "GHSA-3p9q-7w63-3f8q",
"modified": "2025-03-21T17:30:18Z",
"published": "2025-03-20T12:32:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7033"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/7078261f-8414-4bb7-9d72-a2a4d8bfd5d1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI Allows Arbitrary File Write via the `download_model` Endpoint"
}
GHSA-3PWW-QVR8-6MHP
Vulnerability from github – Published: 2023-11-16 18:30 – Updated: 2025-01-09 23:39LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ray"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-6021"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-29"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-27T23:20:39Z",
"nvd_published_at": "2023-11-16T17:15:09Z",
"severity": "CRITICAL"
},
"details": "LFI in Ray\u0027s log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023",
"id": "GHSA-3pww-qvr8-6mhp",
"modified": "2025-01-09T23:39:59Z",
"published": "2023-11-16T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6021"
},
{
"type": "WEB",
"url": "https://github.com/ray-project/ray"
},
{
"type": "WEB",
"url": "https://github.com/ray-project/ray/releases/tag/ray-2.8.1"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/5039c045-f986-4cbc-81ac-370fe4b0d3f8"
},
{
"type": "WEB",
"url": "https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Ray Path Traversal vulnerability"
}
GHSA-3W8H-VHC9-93CJ
Vulnerability from github – Published: 2024-06-02 12:30 – Updated: 2024-06-02 12:30A path traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'copy_to_custom_personas' endpoint in the 'lollms_personalities_infos.py' file. This vulnerability allows attackers to read arbitrary files by manipulating the 'category' and 'name' parameters during the 'Copy to custom personas folder for editing' process. By inserting '../' sequences in these parameters, attackers can traverse the directory structure and access files outside of the intended directory. Successful exploitation results in unauthorized access to sensitive information.
{
"affected": [],
"aliases": [
"CVE-2024-2178"
],
"database_specific": {
"cwe_ids": [
"CWE-29"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-02T11:15:07Z",
"severity": "HIGH"
},
"details": "A path traversal vulnerability exists in the parisneo/lollms-webui, specifically within the \u0027copy_to_custom_personas\u0027 endpoint in the \u0027lollms_personalities_infos.py\u0027 file. This vulnerability allows attackers to read arbitrary files by manipulating the \u0027category\u0027 and \u0027name\u0027 parameters during the \u0027Copy to custom personas folder for editing\u0027 process. By inserting \u0027../\u0027 sequences in these parameters, attackers can traverse the directory structure and access files outside of the intended directory. Successful exploitation results in unauthorized access to sensitive information.",
"id": "GHSA-3w8h-vhc9-93cj",
"modified": "2024-06-02T12:30:51Z",
"published": "2024-06-02T12:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2178"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/e585f1dd-a026-4419-8f42-5835e85fad9e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3WQ4-XJPF-PJ4J
Vulnerability from github – Published: 2026-05-20 21:31 – Updated: 2026-05-20 21:31NVIDIA BioNeMo Core for Linux contains a vulnerability where a user could cause a path traversal by loading a malicious file. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering.
{
"affected": [],
"aliases": [
"CVE-2026-24217"
],
"database_specific": {
"cwe_ids": [
"CWE-29"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-20T20:16:36Z",
"severity": "HIGH"
},
"details": "NVIDIA BioNeMo Core for Linux contains a vulnerability where a user could cause a path traversal by loading a malicious file. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering.",
"id": "GHSA-3wq4-xjpf-pj4j",
"modified": "2026-05-20T21:31:30Z",
"published": "2026-05-20T21:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24217"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5831"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24217"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3X47-W4RX-6PM7
Vulnerability from github – Published: 2024-06-06 21:30 – Updated: 2024-09-13 19:34A path traversal vulnerability exists in the parisneo/lollms application, specifically within the sanitize_path_from_endpoint and sanitize_path functions in lollms_core\lollms\security.py. This vulnerability allows for arbitrary file reading when the application is running on Windows. The issue arises due to insufficient sanitization of user-supplied input, enabling attackers to bypass the path traversal protection mechanisms by crafting malicious input. Successful exploitation could lead to unauthorized access to sensitive files, information disclosure, and potentially a denial of service (DoS) condition by including numerous large or resource-intensive files. This vulnerability affects the latest version prior to 9.5.0.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "lollms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-3429"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-29"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-13T19:34:34Z",
"nvd_published_at": "2024-06-06T19:16:02Z",
"severity": "HIGH"
},
"details": "A path traversal vulnerability exists in the parisneo/lollms application, specifically within the `sanitize_path_from_endpoint` and `sanitize_path` functions in `lollms_core\\lollms\\security.py`. This vulnerability allows for arbitrary file reading when the application is running on Windows. The issue arises due to insufficient sanitization of user-supplied input, enabling attackers to bypass the path traversal protection mechanisms by crafting malicious input. Successful exploitation could lead to unauthorized access to sensitive files, information disclosure, and potentially a denial of service (DoS) condition by including numerous large or resource-intensive files. This vulnerability affects the latest version prior to 9.5.0.",
"id": "GHSA-3x47-w4rx-6pm7",
"modified": "2024-09-13T19:34:34Z",
"published": "2024-06-06T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3429"
},
{
"type": "WEB",
"url": "https://github.com/parisneo/lollms/commit/f4424cfc3d6dfb3ad5ac17dd46801efe784933e9"
},
{
"type": "PACKAGE",
"url": "https://github.com/parisneo/lollms"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/fd8f50c8-17f0-40be-a2c6-bb8d80f7c409"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "LoLLMS Path Traversal vulnerability"
}
GHSA-46G3-F9R8-XJ4V
Vulnerability from github – Published: 2023-06-06 01:51 – Updated: 2023-06-06 01:51Impact
A path traversal vulnerability exists in the CMS, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcore_log parameter.This can lead to potential denial of service---key file overwrite.
The impact of this vulnerability allows attackers to:
-
Overwrite or modify sensitive files, potentially leading to unauthorized access, privilege escalation, or disclosure of confidential information.
-
Tamper with system settings by modifying key files, such as the hosts file in Windows or configuration files for other services.
-
Cause a denial of service (DoS) if critical system files are overwritten or deleted.
The consequences of exploiting this vulnerability can be detrimental to the confidentiality, integrity, and availability of the affected system. It's crucial to address this vulnerability to protect sensitive data and ensure the proper functioning of the system.
Patches
Update to version 10.5.22 or apply this patch manually https://github.com/pimcore/pimcore/commit/e8dbc4da58ae86618bceb67ed35ce23e5e54d2ed.patch
Workarounds
Apply patch https://github.com/pimcore/pimcore/commit/e8dbc4da58ae86618bceb67ed35ce23e5e54d2ed.patch manually.
References
https://huntr.dev/bounties/5df8b951-e2f1-4548-a7e3-601186e1b191/
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pimcore/pimcore"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.5.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-2984"
],
"database_specific": {
"cwe_ids": [
"CWE-29"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-06T01:51:34Z",
"nvd_published_at": "2023-05-30T15:15:09Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA path traversal vulnerability exists in the CMS, which allows an attacker to overwrite or modify sensitive files by manipulating the `pimcore_log` parameter.This can lead to potential denial of service---key file overwrite.\n\nThe impact of this vulnerability allows attackers to:\n\n- Overwrite or modify sensitive files, potentially leading to unauthorized access, privilege escalation, or disclosure of confidential information.\n\n- Tamper with system settings by modifying key files, such as the hosts file in Windows or configuration files for other services.\n\n- Cause a denial of service (DoS) if critical system files are overwritten or deleted.\n\nThe consequences of exploiting this vulnerability can be detrimental to the confidentiality, integrity, and availability of the affected system. It\u0027s crucial to address this vulnerability to protect sensitive data and ensure the proper functioning of the system.\n\n### Patches\nUpdate to version 10.5.22 or apply this patch manually https://github.com/pimcore/pimcore/commit/e8dbc4da58ae86618bceb67ed35ce23e5e54d2ed.patch\n\n### Workarounds\nApply patch https://github.com/pimcore/pimcore/commit/e8dbc4da58ae86618bceb67ed35ce23e5e54d2ed.patch manually.\n\n### References\nhttps://huntr.dev/bounties/5df8b951-e2f1-4548-a7e3-601186e1b191/",
"id": "GHSA-46g3-f9r8-xj4v",
"modified": "2023-06-06T01:51:34Z",
"published": "2023-06-06T01:51:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-46g3-f9r8-xj4v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2984"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/commit/e8dbc4da58ae86618bceb67ed35ce23e5e54d2ed"
},
{
"type": "PACKAGE",
"url": "https://github.com/pimcore/pimcore"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/5df8b951-e2f1-4548-a7e3-601186e1b191"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Pimcore vulnerable to Pre-Auth Path Traversal in pimcore_log parameter"
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.