Common Weakness Enumeration

CWE-36

Allowed

Absolute Path Traversal

Abstraction: Base · Status: Draft

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

245 vulnerabilities reference this CWE, most recent first.

GHSA-H6GW-MWPR-89HW

Vulnerability from github – Published: 2025-08-22 12:30 – Updated: 2025-08-22 12:30
VLAI
Details

WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9257"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-22T12:15:34Z",
    "severity": "HIGH"
  },
  "details": "WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files.",
  "id": "GHSA-h6gw-mwpr-89hw",
  "modified": "2025-08-22T12:30:31Z",
  "published": "2025-08-22T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9257"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-10329-a1c5d-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-10328-dbc35-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-H8WQ-7XC4-P3QX

Vulnerability from github – Published: 2026-03-09 21:31 – Updated: 2026-06-08 18:36
VLAI
Summary
NLTK has Arbitrary File Read via Absolute Path Input in nltk.util.filestring()
Details

A vulnerability in the filestring() function of the nltk.util module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nltk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-0846"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-18T01:14:15Z",
    "nvd_published_at": "2026-03-09T20:16:05Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.",
  "id": "GHSA-h8wq-7xc4-p3qx",
  "modified": "2026-06-08T18:36:48Z",
  "published": "2026-03-09T21:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0846"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nltk/nltk/pull/3485"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nltk/nltk/commit/b2e1164bf89277f79b65406c829b99fb20ca1974"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nltk/nltk"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-97.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NLTK has Arbitrary File Read via Absolute Path Input in nltk.util.filestring()"
}

GHSA-H994-99H2-49QC

Vulnerability from github – Published: 2024-01-29 21:30 – Updated: 2024-01-29 21:30
VLAI
Details

Gotham Table service and Forward App were found to be vulnerable to a Path traversal issue allowing an authenticated user to read arbitrary files on the file system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-30970"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-29T19:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Gotham Table service and Forward App were found to be vulnerable to a Path traversal issue allowing an authenticated user to read arbitrary files on the file system.\n\n",
  "id": "GHSA-h994-99h2-49qc",
  "modified": "2024-01-29T21:30:27Z",
  "published": "2024-01-29T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30970"
    },
    {
      "type": "WEB",
      "url": "https://palantir.safebase.us/?tcuUid=69be99ef-ad24-4339-9017-c8bf70789c72"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H9M7-C24M-GQR9

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

parisneo/lollms-webui versions v9.9 to the latest are vulnerable to a directory listing vulnerability. An attacker can list arbitrary directories on a Windows system by sending a specially crafted HTTP request to the /open_file endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10047"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:14Z",
    "severity": "MODERATE"
  },
  "details": "parisneo/lollms-webui versions v9.9 to the latest are vulnerable to a directory listing vulnerability. An attacker can list arbitrary directories on a Windows system by sending a specially crafted HTTP request to the /open_file endpoint.",
  "id": "GHSA-h9m7-c24m-gqr9",
  "modified": "2025-03-20T12:32:38Z",
  "published": "2025-03-20T12:32:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10047"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/69c3a27c-bd93-4aff-a46b-56798f28a3ce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HHW5-29F6-HF4X

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-21 16:05
VLAI
Summary
DB-GPT Absolute Path Traversal vulnerability
Details

In eosphoros-ai/db-gpt version 0.6.0, the endpoint for uploading files is vulnerable to absolute path traversal. This vulnerability allows an attacker to upload arbitrary files to arbitrary locations on the target server. The issue arises because the file_key and doc_file.filename parameters are user-controllable, enabling the construction of paths outside the intended directory. This can lead to overwriting essential system files, such as SSH keys, for further exploitation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "dbgpt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-10831"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T16:05:47Z",
    "nvd_published_at": "2025-03-20T10:15:20Z",
    "severity": "CRITICAL"
  },
  "details": "In eosphoros-ai/db-gpt version 0.6.0, the endpoint for uploading files is vulnerable to absolute path traversal. This vulnerability allows an attacker to upload arbitrary files to arbitrary locations on the target server. The issue arises because the `file_key` and `doc_file.filename` parameters are user-controllable, enabling the construction of paths outside the intended directory. This can lead to overwriting essential system files, such as SSH keys, for further exploitation.",
  "id": "GHSA-hhw5-29f6-hf4x",
  "modified": "2025-03-21T16:05:47Z",
  "published": "2025-03-20T12:32:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10831"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eosphoros-ai/DB-GPT"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/5c34c39f-66d4-414c-ab6a-f7888a5d882a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DB-GPT Absolute Path Traversal vulnerability"
}

GHSA-HV5M-FHGM-GWW4

Vulnerability from github – Published: 2024-12-16 09:31 – Updated: 2024-12-16 09:31
VLAI
Details

The tbm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12643"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-16T07:15:06Z",
    "severity": "HIGH"
  },
  "details": "The tbm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user\u0027s system.",
  "id": "GHSA-hv5m-fhgm-gww4",
  "modified": "2024-12-16T09:31:09Z",
  "published": "2024-12-16T09:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12643"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-8301-c2f4b-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-8295-bfa3b-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J495-3VFG-6J5M

Vulnerability from github – Published: 2023-09-17 06:30 – Updated: 2023-09-17 06:30
VLAI
Details

A vulnerability has been found in DedeCMS up to 5.7.100 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /include/dialog/select_templets_post.php. The manipulation of the argument activepath leads to absolute path traversal. The associated identifier of this vulnerability is VDB-239863.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-17T06:15:07Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in DedeCMS up to 5.7.100 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /include/dialog/select_templets_post.php. The manipulation of the argument activepath leads to absolute path traversal. The associated identifier of this vulnerability is VDB-239863.",
  "id": "GHSA-j495-3vfg-6j5m",
  "modified": "2023-09-17T06:30:24Z",
  "published": "2023-09-17T06:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5022"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bayuncao/DEDEcms"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.239863"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.239863"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J4PW-2G9C-468H

Vulnerability from github – Published: 2025-08-22 12:30 – Updated: 2025-08-22 12:30
VLAI
Details

WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9259"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-22T12:15:34Z",
    "severity": "HIGH"
  },
  "details": "WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files.",
  "id": "GHSA-j4pw-2g9c-468h",
  "modified": "2025-08-22T12:30:31Z",
  "published": "2025-08-22T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9259"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-10329-a1c5d-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-10328-dbc35-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-J98H-M6PX-H428

Vulnerability from github – Published: 2025-07-31 15:35 – Updated: 2025-07-31 15:35
VLAI
Details

The NinjaScanner – Virus & Malware scan plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'nscan_ajax_quarantine' and 'nscan_quarantine_select' functions in all versions up to, and including, 3.2.5. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, including files outside the WordPress root directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8213"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-31T13:15:26Z",
    "severity": "HIGH"
  },
  "details": "The NinjaScanner \u2013 Virus \u0026 Malware scan plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the \u0027nscan_ajax_quarantine\u0027 and \u0027nscan_quarantine_select\u0027 functions in all versions up to, and including, 3.2.5. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, including files outside the WordPress root directory.",
  "id": "GHSA-j98h-m6px-h428",
  "modified": "2025-07-31T15:35:47Z",
  "published": "2025-07-31T15:35:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8213"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/ninjascanner/trunk/lib/ajax_hooks.php#L331"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/ninjascanner/trunk/lib/tab_quarantine.php#L114"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3336569"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b1da345-ddbb-48ad-b0c1-bb0cb3b0fc69?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J9G7-MQHH-9HXF

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-21 17:24
VLAI
Summary
DB-GPT Absolute Path Traversal in knowledge/{space_name}/document/upload
Details

eosphoros-ai/db-gpt version 0.6.0 is vulnerable to an arbitrary file write through the knowledge API. The endpoint for uploading files as 'knowledge' is susceptible to absolute path traversal, allowing attackers to write files to arbitrary locations on the target server. This vulnerability arises because the 'doc_file.filename' parameter is user-controllable, enabling the construction of absolute paths.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "dbgpt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-10833"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-36"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T17:24:47Z",
    "nvd_published_at": "2025-03-20T10:15:20Z",
    "severity": "CRITICAL"
  },
  "details": "eosphoros-ai/db-gpt version 0.6.0 is vulnerable to an arbitrary file write through the knowledge API. The endpoint for uploading files as \u0027knowledge\u0027 is susceptible to absolute path traversal, allowing attackers to write files to arbitrary locations on the target server. This vulnerability arises because the \u0027doc_file.filename\u0027 parameter is user-controllable, enabling the construction of absolute paths.",
  "id": "GHSA-j9g7-mqhh-9hxf",
  "modified": "2025-03-21T17:24:48Z",
  "published": "2025-03-20T12:32:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10833"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eosphoros-ai/DB-GPT/commit/780ce803e325b87f4ddfbe5824451e379aeee56c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eosphoros-ai/DB-GPT"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/dc58e981-e325-4c11-b4e1-1095890fd15a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DB-GPT Absolute Path Traversal in knowledge/{space_name}/document/upload"
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-597: Absolute Path Traversal

An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as ".." to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.