CWE-426
Allowed-with-ReviewUntrusted Search Path
Abstraction: Base · Status: Stable
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
892 vulnerabilities reference this CWE, most recent first.
GHSA-WC84-J36W-PW4X
Vulnerability from github – Published: 2026-06-18 20:39 – Updated: 2026-06-18 20:39Summary
Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. In affected versions, a workspace .env in a repository opened by a trusted operator could set STATE_DIRECTORY before runtime dependency root resolution.
This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.
Impact
When the affected feature is enabled and reachable, this could load bundled runtime dependencies from an unintended local state path. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path.
Patched Versions
The first stable patched version is 2026.5.2.
Mitigations
avoid opening untrusted workspace env files before runtime dependency installation until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53858"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T20:39:19Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nWorkspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. In affected versions, a workspace `.env` in a repository opened by a trusted operator could set `STATE_DIRECTORY` before runtime dependency root resolution.\n\nThis advisory is scoped to the named feature and configuration. It does not change OpenClaw\u0027s trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.\n\n### Impact\n\nWhen the affected feature is enabled and reachable, this could load bundled runtime dependencies from an unintended local state path. Practical impact depends on the operator\u0027s configuration and whether lower-trust input can reach that path.\n\n### Patched Versions\n\nThe first stable patched version is `2026.5.2`.\n\n### Mitigations\n\navoid opening untrusted workspace env files before runtime dependency installation until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"id": "GHSA-wc84-j36w-pw4x",
"modified": "2026-06-18T20:39:19Z",
"published": "2026-06-18T20:39:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wc84-j36w-pw4x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53858"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-runtime-dependency-loading-via-state-directory-environment-variable"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots"
}
GHSA-WCCG-GR78-83XQ
Vulnerability from github – Published: 2023-12-08 00:30 – Updated: 2023-12-08 00:30Multiple components of Iconics SCADA Suite are prone to a Phantom DLL loading vulnerability. This issue arises from the applications improperly searching for and loading dynamic link libraries, potentially allowing an attacker to execute malicious code via a DLL with a matching name in an accessible search path. The affected components are: * MMXFax.exe * winfax.dll
- MelSim2ComProc.exe
-
Sim2ComProc.dll
-
MMXCall_in.exe * libdxxmt.dll
- libsrlmt.dll
{
"affected": [],
"aliases": [
"CVE-2023-6061"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-08T00:15:07Z",
"severity": "MODERATE"
},
"details": "Multiple components of Iconics SCADA Suite are prone to a Phantom DLL loading vulnerability. This issue arises from the applications improperly searching for and loading dynamic link libraries, potentially allowing an attacker to execute malicious code via a DLL with a matching name in an accessible search path. The affected components are:\n * MMXFax.exe * winfax.dll\n\n\n\n\n * MelSim2ComProc.exe\n * Sim2ComProc.dll\n\n\n\n\n * MMXCall_in.exe * libdxxmt.dll\n * libsrlmt.dll\n\n\n\n\n\n\n",
"id": "GHSA-wccg-gr78-83xq",
"modified": "2023-12-08T00:30:31Z",
"published": "2023-12-08T00:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6061"
},
{
"type": "WEB",
"url": "https://gist.github.com/AsherDLL/abdd2334ac8872999d73ba7b20328c21"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WCG8-962M-HQWG
Vulnerability from github – Published: 2022-05-17 02:46 – Updated: 2025-04-20 03:37Untrusted search path vulnerability in PrimeDrive Desktop Application 1.4.3 and earlier allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2017-2108"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-28T16:59:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in PrimeDrive Desktop Application 1.4.3 and earlier allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-wcg8-962m-hqwg",
"modified": "2025-04-20T03:37:01Z",
"published": "2022-05-17T02:46:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2108"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN88713190/index.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96619"
},
{
"type": "WEB",
"url": "http://www.softbank.jp/biz/news/cloud/170215"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WCJF-J4G2-QJ96
Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-05-24 17:49GalaxyClient version 2.0.28.9 loads unsigned DLLs such as zlib1.dll, libgcc_s_dw2-1.dll and libwinpthread-1.dll from PATH, which allows an attacker to potentially run code locally through unsigned DLL loading.
{
"affected": [],
"aliases": [
"CVE-2021-26807"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-30T11:15:00Z",
"severity": "HIGH"
},
"details": "GalaxyClient version 2.0.28.9 loads unsigned DLLs such as zlib1.dll, libgcc_s_dw2-1.dll and libwinpthread-1.dll from PATH, which allows an attacker to potentially run code locally through unsigned DLL loading.",
"id": "GHSA-wcjf-j4g2-qj96",
"modified": "2022-05-24T17:49:19Z",
"published": "2022-05-24T17:49:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26807"
},
{
"type": "WEB",
"url": "https://illuminati.services/2021/04/29/cve-2021-26807-gog-galaxy-v2-0-35-dll-load-order-hijacking"
},
{
"type": "WEB",
"url": "https://www.gog.com"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WF6Q-96RM-JX62
Vulnerability from github – Published: 2022-05-17 02:20 – Updated: 2022-05-17 02:20Untrusted search path vulnerability in Tween Ver1.6.6.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2017-2279"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-02T16:29:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in Tween Ver1.6.6.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-wf6q-96rm-jx62",
"modified": "2022-05-17T02:20:12Z",
"published": "2022-05-17T02:20:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2279"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN17523256/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WFM5-V35H-VWF4
Vulnerability from github – Published: 2023-08-29 23:33 – Updated: 2024-09-20 20:14Summary
When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment (see big warning in https://docs.python.org/3/library/subprocess.html#popen-constructor). GitPython defaults to use the git command, if a user runs GitPython from a repo has a git.exe or git executable, that program will be run instead of the one in the user's PATH.
Details
This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo.
The execution of the git command happens in
https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/cmd.py#L277
https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/cmd.py#L983-L996
And there are other commands executed that should probably be aware of this problem.
PoC
On a Windows system, create a git.exe or git executable in any directory, and import or run GitPython from that directory
python -c "import git"
The git executable from the current directory will be run.
Impact
An attacker can trick a user to download a repository with a malicious git executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands.
Possible solutions
- Default to an absolute path for the git program on Windows, like
C:\\Program Files\\Git\\cmd\\git.EXE(default git path installation). - Require users to set the
GIT_PYTHON_GIT_EXECUTABLEenvironment variable on Windows systems. - Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the
GIT_PYTHON_GIT_EXECUTABLEenv var to an absolute path. - Resolve the executable manually by only looking into the
PATHenvironment variable (suggested by @Byron)
[!NOTE] This vulnerability was reported via email, and it was decided to publish it here and make it public, so the community is aware of it, and a fix can be provided.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.32"
},
"package": {
"ecosystem": "PyPI",
"name": "GitPython"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.33"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-40590"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-29T23:33:53Z",
"nvd_published_at": "2023-08-28T18:15:08Z",
"severity": "HIGH"
},
"details": "### Summary\n\nWhen resolving a program, Python/Windows look for the current working directory, and after that the PATH environment (see big warning in https://docs.python.org/3/library/subprocess.html#popen-constructor). GitPython defaults to use the `git` command, if a user runs GitPython from a repo has a `git.exe` or `git` executable, that program will be run instead of the one in the user\u0027s `PATH`.\n\n### Details\n\nThis is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren\u0027t affected by this. But probably people using GitPython usually run it from the CWD of a repo.\n\nThe execution of the `git` command happens in\n\nhttps://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/cmd.py#L277 \n\nhttps://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/cmd.py#L983-L996\n\nAnd there are other commands executed that should probably be aware of this problem.\n\n### PoC\n\nOn a Windows system, create a `git.exe` or `git` executable in any directory, and import or run GitPython from that directory\n\n```\npython -c \"import git\"\n```\n\nThe git executable from the current directory will be run.\n\n### Impact\n\nAn attacker can trick a user to download a repository with a malicious `git` executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands.\n\n### Possible solutions\n \n- Default to an absolute path for the git program on Windows, like `C:\\\\Program Files\\\\Git\\\\cmd\\\\git.EXE` (default git path installation).\n- Require users to set the `GIT_PYTHON_GIT_EXECUTABLE` environment variable on Windows systems.\n- Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the `GIT_PYTHON_GIT_EXECUTABLE` env var to an absolute path.\n- Resolve the executable manually by only looking into the `PATH` environment variable (suggested by @Byron)\n\n---\n\n\u003e [!NOTE]\n\u003e This vulnerability was reported via email, and it was decided to publish it here and make it public, so the community is aware of it, and a fix can be provided.",
"id": "GHSA-wfm5-v35h-vwf4",
"modified": "2024-09-20T20:14:20Z",
"published": "2023-08-29T23:33:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-wfm5-v35h-vwf4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40590"
},
{
"type": "WEB",
"url": "https://github.com/gitpython-developers/GitPython/issues/1635"
},
{
"type": "WEB",
"url": "https://github.com/gitpython-developers/GitPython/pull/1636"
},
{
"type": "WEB",
"url": "https://github.com/gitpython-developers/GitPython/commit/8b75434e2c8a082cdeb4971cc6f0ee2bafec45bc"
},
{
"type": "WEB",
"url": "https://docs.python.org/3/library/subprocess.html#popen-constructor"
},
{
"type": "PACKAGE",
"url": "https://github.com/gitpython-developers/GitPython"
},
{
"type": "WEB",
"url": "https://github.com/gitpython-developers/GitPython/releases/tag/3.1.33"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2023-161.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "GitPython untrusted search path on Windows systems leading to arbitrary code execution"
}
GHSA-WJ79-QQHX-JQHR
Vulnerability from github – Published: 2022-01-27 00:01 – Updated: 2022-02-03 00:00In ListCheck.exe in Acer Care Center 4.x before 4.00.3038, a vulnerability in the loading mechanism of Windows DLLs could allow a local attacker to perform a DLL hijacking attack. This vulnerability is due to incorrect handling of directory search paths at run time. An attacker could exploit this vulnerability by placing a malicious DLL file on the targeted system. This file will execute when the vulnerable application launches. A successful exploit could allow the attacker to execute arbitrary code on the targeted system with local administrator privileges.
{
"affected": [],
"aliases": [
"CVE-2021-45975"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-26T15:15:00Z",
"severity": "HIGH"
},
"details": "In ListCheck.exe in Acer Care Center 4.x before 4.00.3038, a vulnerability in the loading mechanism of Windows DLLs could allow a local attacker to perform a DLL hijacking attack. This vulnerability is due to incorrect handling of directory search paths at run time. An attacker could exploit this vulnerability by placing a malicious DLL file on the targeted system. This file will execute when the vulnerable application launches. A successful exploit could allow the attacker to execute arbitrary code on the targeted system with local administrator privileges.",
"id": "GHSA-wj79-qqhx-jqhr",
"modified": "2022-02-03T00:00:40Z",
"published": "2022-01-27T00:01:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45975"
},
{
"type": "WEB",
"url": "https://acercsi.com"
},
{
"type": "WEB",
"url": "https://aptw.tf/2022/01/20/acer-care-center-privesc.html"
},
{
"type": "WEB",
"url": "https://community.acer.com/en/kb/articles/14757-acer-care-center-requires-an-update-to-resolve-a-security-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WM77-VQC5-2VV8
Vulnerability from github – Published: 2025-05-24 18:30 – Updated: 2025-06-17 18:31A vulnerability has been found in Sangfor 零信任访问控制系统 aTrust 2.3.10.60 and classified as critical. Affected by this vulnerability is an unknown functionality in the library MSASN1.dll. The manipulation leads to uncontrolled search path. Local access is required to approach this attack. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-5129"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-24T17:15:26Z",
"severity": "HIGH"
},
"details": "A vulnerability has been found in Sangfor \u96f6\u4fe1\u4efb\u8bbf\u95ee\u63a7\u5236\u7cfb\u7edf aTrust 2.3.10.60 and classified as critical. Affected by this vulnerability is an unknown functionality in the library MSASN1.dll. The manipulation leads to uncontrolled search path. Local access is required to approach this attack. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-wm77-vqc5-2vv8",
"modified": "2025-06-17T18:31:37Z",
"published": "2025-05-24T18:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5129"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/1_zGvKXIFLdh5RtxauvNYSa52YONJmY9q/view"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.310207"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.310207"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.571267"
},
{
"type": "WEB",
"url": "https://www.notion.so/Sangfor-Zero-Trust-Access-Control-System-ATrust-Privilege-Escalation-Vulnerability-1eab06dd544b802b87cdd6ba6b70cce9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WMCJ-JPPG-46XH
Vulnerability from github – Published: 2025-06-10 15:30 – Updated: 2025-08-19 15:31A maliciously crafted binary file when downloaded could lead to escalation of privileges to NT AUTHORITY/SYSTEM due to an untrusted search path being utilized in the Autodesk Installer application. Exploitation of this vulnerability may lead to code execution.
{
"affected": [],
"aliases": [
"CVE-2025-5335"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-10T15:15:25Z",
"severity": "HIGH"
},
"details": "A maliciously crafted binary file when downloaded could lead to escalation of privileges to NT AUTHORITY/SYSTEM due to an untrusted search path being utilized in the Autodesk Installer application. Exploitation of this vulnerability may lead to code execution.",
"id": "GHSA-wmcj-jppg-46xh",
"modified": "2025-08-19T15:31:24Z",
"published": "2025-06-10T15:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5335"
},
{
"type": "WEB",
"url": "https://emsfs.autodesk.com/utility/odis/1/installer/latest/AdODIS-installer.exe"
},
{
"type": "WEB",
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WMP8-9743-FHP5
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:06JetBrains Rider before 2019.1.2 was using an unsigned JetBrains.Rider.Unity.Editor.Plugin.Repacked.dll file.
{
"affected": [],
"aliases": [
"CVE-2019-14960"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-01T16:15:00Z",
"severity": "HIGH"
},
"details": "JetBrains Rider before 2019.1.2 was using an unsigned JetBrains.Rider.Unity.Editor.Plugin.Repacked.dll file.",
"id": "GHSA-wmp8-9743-fhp5",
"modified": "2024-04-04T02:06:22Z",
"published": "2022-05-24T16:57:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14960"
},
{
"type": "WEB",
"url": "https://blog.jetbrains.com/blog/2019/09/26/jetbrains-security-bulletin-q2-2019"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Attack Surface Reduction
Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
Mitigation
When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
Mitigation
Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
Mitigation
Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.
Mitigation
Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.
CAPEC-38: Leveraging/Manipulating Configuration File Search Paths
This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.