Common Weakness Enumeration

CWE-427

Allowed-with-Review

Uncontrolled Search Path Element

Abstraction: Base · Status: Draft

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

1786 vulnerabilities reference this CWE, most recent first.

GHSA-MGVV-9P9G-3JV4

Vulnerability from github – Published: 2024-07-18 15:26 – Updated: 2024-11-18 16:26
VLAI
Summary
gix-path can use a fake program files location
Details

Summary

When looking for Git for Windows so it can run it to report its paths, gix-path can be tricked into running another git.exe placed in an untrusted location by a limited user account.

Details

Windows permits limited user accounts without administrative privileges to create new directories in the root of the system drive. While gix-path first looks for git using a PATH search, in version 0.10.8 it also has a fallback strategy on Windows of checking two hard-coded paths intended to be the 64-bit and 32-bit Program Files directories:

https://github.com/Byron/gitoxide/blob/6cd8b4665bb7582f744c3244abaef812be39ec35/gix-path/src/env/git.rs#L9-L14

Existing functions, as well as the newly introduced exe_invocation function, were updated to make use of these alternative locations. This causes facilities in gix_path::env to directly execute git.exe in those locations, as well as to return its path or whatever configuration it reports to callers who rely on it.

Although unusual setups where the system drive is not C:, or even where Program Files directories have non-default names, are technically possible, the main problem arises on a 32-bit Windows system. Such a system has no C:\Program Files (x86) directory.

A limited user on a 32-bit Windows system can therefore create the C:\Program Files (x86) directory and populate it with arbitrary contents. Once a payload has been placed at the second of the two hard-coded paths in this way, other user accounts including administrators will execute it if they run an application that uses gix-path and do not have git in a PATH directory.

(While having git found in a PATH search prevents exploitation, merely having it installed in the default location under the real C:\Program Files directory does not. This is because the first hard-coded path's mingw64 component assumes a 64-bit installation.)

PoC

On a 32-bit (x86) Windows 10 system, with or without Git for Windows installed:

  1. Create a limited user account in lusrmgr.msc or the Settings application.
  2. Log in with that account and, using Windows Explorer or the mkdir command in PowerShell, create the directories C:\Program Files (x86)\Git\mingw32\bin. Although a limited user account cannot create regular files directly in C:\, it can create directories including one called Program Files (x86).
  3. Place a copy of C:\Windows\system32\calc.exe in C:\Program Files (x86)\Git\mingw32\bin and rename it from calc.exe to git.exe. A different test payload may be used if preferred, and the executable need not already be signed or trusted.
  4. Log out, and log in as a different user. This user may be an administrator.
  5. If gitoxide is not installed, install it. If cargo install gitoxide is used for the installation, then the version of gix-path used in the installation can be observed.
  6. The vulnerability is only exploitable if git cannot be found in a PATH search. So, in PowerShell, run gcm git to check if git is present in the PATH. If so, temporarily remove it. One way to do this is for the current shell only, by running $env:PATH to inspect it and by assigning $env:PATH = '...' where ... omits directories that contain git.
  7. Some commands that can be run outside a repository, and most commands that can be run inside a repository, will run the Calculator or other payload at least once per invocation. Try gix clone foo or, inside of a repository, gix status, gix config, gix is-changed, gix fetch, ein t hours, or ein t query. This is not exhaustive; most other gix and ein commands that access existing repository state or a network resource likewise run the payload.

Impact

Only Windows is affected. Exploitation is unlikely except on a 32-bit system. In particular, running a 32-bit build on a 64-bit system is not a risk factor. Furthermore, the attacker must have a user account on the system, though it may be a relatively unprivileged account. Such a user can perform privilege escalation and execute code as another user, though it may be difficult to do so reliably because the targeted user account must run an application or service that uses gix-path and must not have git in its PATH.

The main exploitable configuration is one where Git for Windows has been installed but not added to PATH. This is one of the options in its installer, though not the default option. Alternatively, an affected program that sanitizes its PATH to remove seemingly nonessential directories could allow exploitation. But for the most part, if the target user has configured a PATH in which the real git.exe can be found, then this cannot be exploited.

This vulnerability is comparable to CVE-2022-24765, in which an uncontrolled path like C:\.git\config, which a limited user can create, could supply configuration used by other users. However, in this case, exploitation is slightly simpler because, rather than using configuration, an executable is directly run.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "gix-path"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.10.8"
            },
            {
              "fixed": "0.10.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.10.8"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-40644"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-427"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-18T15:26:04Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nWhen looking for Git for Windows so it can run it to report its paths, `gix-path` can be tricked into running another `git.exe` placed in an untrusted location by a limited user account.\n\n### Details\n\nWindows permits limited user accounts without administrative privileges to create new directories in the root of the system drive. While `gix-path` first looks for `git` using a `PATH` search, in version 0.10.8 it also has a fallback strategy on Windows of checking two hard-coded paths intended to be the 64-bit and 32-bit Program Files directories:\n\nhttps://github.com/Byron/gitoxide/blob/6cd8b4665bb7582f744c3244abaef812be39ec35/gix-path/src/env/git.rs#L9-L14\n\nExisting functions, as well as the newly introduced `exe_invocation` function, were updated to make use of these alternative locations. This causes facilities in `gix_path::env` to directly execute `git.exe` in those locations, as well as to return its path or whatever configuration it reports to callers who rely on it.\n\nAlthough unusual setups where the system drive is not `C:`, or even where Program Files directories have non-default names, are technically possible, the main problem arises on a 32-bit Windows system. Such a system has no `C:\\Program Files (x86)` directory.\n\nA limited user on a 32-bit Windows system can therefore create the `C:\\Program Files (x86)` directory and populate it with arbitrary contents. Once a payload has been placed at the second of the two hard-coded paths in this way, other user accounts including administrators will execute it if they run an application that uses `gix-path` and do not have `git` in a `PATH` directory.\n\n(While having `git` found in a `PATH` search prevents exploitation, merely having it installed in the default location under the real `C:\\Program Files` directory does not. This is because the first hard-coded path\u0027s `mingw64` component assumes a 64-bit installation.)\n\n### PoC\n\nOn a 32-bit (x86) Windows 10 system, with or without Git for Windows installed:\n\n1. Create a limited user account in `lusrmgr.msc` or the Settings application.\n2. Log in with that account and, using Windows Explorer or the `mkdir` command in PowerShell, create the directories `C:\\Program Files (x86)\\Git\\mingw32\\bin`. Although a limited user account cannot create regular files directly in `C:\\`, it can create directories including one called `Program Files (x86)`.\n3. Place a copy of `C:\\Windows\\system32\\calc.exe` in `C:\\Program Files (x86)\\Git\\mingw32\\bin` and rename it from `calc.exe` to `git.exe`. A different test payload may be used if preferred, and the executable need not already be signed or trusted.\n4. Log out, and log in as a different user. This user may be an administrator.\n5. If `gitoxide` is not installed, install it. If `cargo install gitoxide` is used for the installation, then the version of `gix-path` used in the installation can be observed.\n6. The vulnerability is only exploitable if `git` cannot be found in a `PATH` search. So, in PowerShell, run `gcm git` to check if `git` is present in the `PATH`. If so, temporarily remove it. One way to do this is for the current shell only, by running `$env:PATH` to inspect it and by assigning `$env:PATH = \u0027...\u0027` where `...` omits directories that contain `git`.\n7. Some commands that can be run outside a repository, and most commands that can be run inside a repository, will run the Calculator or other payload at least once per invocation. Try `gix clone foo` or, inside of a repository, `gix status`, `gix config`, `gix is-changed`, `gix fetch`, `ein t hours`, or `ein t query`. This is not exhaustive; most other `gix` and `ein` commands that access existing repository state or a network resource likewise run the payload.\n\n### Impact\n\nOnly Windows is affected. Exploitation is unlikely except on a 32-bit system. In particular, running a 32-bit build on a 64-bit system is not a risk factor. Furthermore, the attacker must have a user account on the system, though it may be a relatively unprivileged account. Such a user can perform privilege escalation and execute code as another user, though it may be difficult to do so reliably because the targeted user account must run an application or service that uses `gix-path` and must not have `git` in its `PATH`.\n\nThe main exploitable configuration is one where Git for Windows has been installed but not added to `PATH`. This is one of the options in its installer, though not the default option. Alternatively, an affected program that sanitizes its `PATH` to remove seemingly nonessential directories could allow exploitation. But for the most part, if the target user has configured a `PATH` in which the real `git.exe` can be found, then this cannot be exploited.\n\nThis vulnerability is comparable to [CVE-2022-24765](https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2), in which an uncontrolled path like `C:\\.git\\config`, which a limited user can create, could supply configuration used by other users. However, in this case, exploitation is slightly simpler because, rather than using configuration, an executable is directly run.",
  "id": "GHSA-mgvv-9p9g-3jv4",
  "modified": "2024-11-18T16:26:53Z",
  "published": "2024-07-18T15:26:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-mgvv-9p9g-3jv4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Byron/gitoxide"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Byron/gitoxide/blob/6cd8b4665bb7582f744c3244abaef812be39ec35/gix-path/src/env/git.rs#L9-L14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "gix-path can use a fake program files location"
}

GHSA-MH62-5J9H-2C77

Vulnerability from github – Published: 2024-11-13 21:30 – Updated: 2024-11-13 21:30
VLAI
Details

Uncontrolled search path for some Intel(R) Quartus(R) Prime Pro Edition software for Windows before version 24.2 may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38383"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-427"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-13T21:15:25Z",
    "severity": "MODERATE"
  },
  "details": "Uncontrolled search path for some Intel(R) Quartus(R) Prime Pro Edition software for Windows before version 24.2 may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-mh62-5j9h-2c77",
  "modified": "2024-11-13T21:30:38Z",
  "published": "2024-11-13T21:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38383"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01195.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MHF4-98X7-2CW4

Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06
VLAI
Details

When loading the shared library that provides the OTR protocol implementation, Thunderbird will initially attempt to open it using a filename that isn't distributed by Thunderbird. If a computer has already been infected with a malicious library of the alternative filename, and the malicious library has been copied to a directory that is contained in the search path for executable libraries, then Thunderbird will load the incorrect library. This vulnerability affects Thunderbird < 78.9.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-29949"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-427"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-24T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "When loading the shared library that provides the OTR protocol implementation, Thunderbird will initially attempt to open it using a filename that isn\u0027t distributed by Thunderbird. If a computer has already been infected with a malicious library of the alternative filename, and the malicious library has been copied to a directory that is contained in the search path for executable libraries, then Thunderbird will load the incorrect library. This vulnerability affects Thunderbird \u003c 78.9.1.",
  "id": "GHSA-mhf4-98x7-2cw4",
  "modified": "2022-05-24T19:06:09Z",
  "published": "2022-05-24T19:06:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29949"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1682101"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2021-13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MHM2-77W6-F4F8

Vulnerability from github – Published: 2025-12-11 12:30 – Updated: 2025-12-11 12:30
VLAI
Details

A privilege escalation vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Exchange-NomadClientHealth-ConfigureGeneralSetting instruction prior V3.4. Improper protection of the execution path on the local device allows attackers, with local access to the device during execution, to hijack the process and execute arbitrary code with SYSTEM privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-64995"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-427"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-11T12:16:26Z",
    "severity": "MODERATE"
  },
  "details": "A privilege escalation vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Exchange-NomadClientHealth-ConfigureGeneralSetting instruction prior V3.4. Improper protection of the execution path on the local device allows attackers, with local access to the device during execution, to hijack the process and execute arbitrary code with SYSTEM privileges.",
  "id": "GHSA-mhm2-77w6-f4f8",
  "modified": "2025-12-11T12:30:28Z",
  "published": "2025-12-11T12:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64995"
    },
    {
      "type": "WEB",
      "url": "https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MHX8-FVJ8-9M2Q

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36
VLAI
Details

An Uncontrolled Search Path Element issue was discovered in Moxa SoftNVR-IA Live Viewer, Version 3.30.3122 and prior versions. An uncontrolled search path element (DLL Hijacking) vulnerability has been identified. To exploit this vulnerability, an attacker could rename a malicious DLL to meet the criteria of the application, and the application would not verify that the DLL is correct. The attacker needs to have administrative access to the default install location in order to plant the insecure DLL. Once loaded by the application, the DLL could run malicious code at the privilege level of the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-5170"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-427"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-18T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "An Uncontrolled Search Path Element issue was discovered in Moxa SoftNVR-IA Live Viewer, Version 3.30.3122 and prior versions. An uncontrolled search path element (DLL Hijacking) vulnerability has been identified. To exploit this vulnerability, an attacker could rename a malicious DLL to meet the criteria of the application, and the application would not verify that the DLL is correct. The attacker needs to have administrative access to the default install location in order to plant the insecure DLL. Once loaded by the application, the DLL could run malicious code at the privilege level of the application.",
  "id": "GHSA-mhx8-fvj8-9m2q",
  "modified": "2022-05-13T01:36:40Z",
  "published": "2022-05-13T01:36:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5170"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-220-02"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100208"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJ59-H3Q9-GHFH

Vulnerability from github – Published: 2026-04-25 23:48 – Updated: 2026-05-19 15:56
VLAI
Summary
OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config
Details

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: < 2026.4.20
  • Patched version: 2026.4.20

Impact

Workspace MCP stdio configuration could pass dangerous process-startup environment variables such as NODE_OPTIONS, LD_PRELOAD, or BASH_ENV to the spawned MCP server process. In a malicious workspace, this could make the MCP child load attacker-controlled code when the operator starts a session that uses that MCP server.

The impact is limited to local/workspace trust boundaries and requires the operator to run OpenClaw in a workspace containing the malicious MCP configuration. Severity is therefore medium, not high/critical.

Fix

OpenClaw now filters MCP stdio environment entries through the host environment safety denylist before spawning stdio MCP servers.

Fix commits:

  • 62fa5071896e95edc7f67d1cebc70a2859e283af
  • 85d86ebc4bf3d2226d39d132a484f4f7a299fa1b

Release

Fixed in OpenClaw 2026.4.20.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44995"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-427",
      "CWE-454",
      "CWE-829"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-25T23:48:03Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nWorkspace MCP stdio configuration could pass dangerous process-startup environment variables such as `NODE_OPTIONS`, `LD_PRELOAD`, or `BASH_ENV` to the spawned MCP server process. In a malicious workspace, this could make the MCP child load attacker-controlled code when the operator starts a session that uses that MCP server.\n\nThe impact is limited to local/workspace trust boundaries and requires the operator to run OpenClaw in a workspace containing the malicious MCP configuration. Severity is therefore medium, not high/critical.\n\n## Fix\n\nOpenClaw now filters MCP stdio environment entries through the host environment safety denylist before spawning stdio MCP servers.\n\nFix commits:\n\n- `62fa5071896e95edc7f67d1cebc70a2859e283af`\n- `85d86ebc4bf3d2226d39d132a484f4f7a299fa1b`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.",
  "id": "GHSA-mj59-h3q9-ghfh",
  "modified": "2026-05-19T15:56:20Z",
  "published": "2026-04-25T23:48:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mj59-h3q9-ghfh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44995"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/62fa5071896e95edc7f67d1cebc70a2859e283af"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/85d86ebc4bf3d2226d39d132a484f4f7a299fa1b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-mcp-stdio-environment-variables"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config"
}

GHSA-MJ5J-J2QM-C8G4

Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-07-06 00:00
VLAI
Details

In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-15523"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-427"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-04T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows.",
  "id": "GHSA-mj5j-j2qm-c8g4",
  "modified": "2022-07-06T00:00:27Z",
  "published": "2022-05-24T17:22:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15523"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/pull/21297"
    },
    {
      "type": "WEB",
      "url": "https://bugs.python.org/issue29778"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210312-0004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJ85-QFPM-V6CF

Vulnerability from github – Published: 2024-05-16 21:31 – Updated: 2024-05-16 21:31
VLAI
Details

Uncontrolled search path in some Intel(R) GPA Framework software before version 2023.3 may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35192"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-427"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-16T21:15:52Z",
    "severity": "MODERATE"
  },
  "details": "Uncontrolled search path in some Intel(R) GPA Framework software before version 2023.3 may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-mj85-qfpm-v6cf",
  "modified": "2024-05-16T21:31:58Z",
  "published": "2024-05-16T21:31:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35192"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00831.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJJ4-76FC-Q29V

Vulnerability from github – Published: 2025-02-13 00:33 – Updated: 2025-02-13 00:33
VLAI
Details

Uncontrolled search path in some Intel(R) VPL software before version 2023.4.0 may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21830"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-427"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-12T22:15:31Z",
    "severity": "MODERATE"
  },
  "details": "Uncontrolled search path in some Intel(R) VPL software before version 2023.4.0 may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-mjj4-76fc-q29v",
  "modified": "2025-02-13T00:33:04Z",
  "published": "2025-02-13T00:33:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21830"
    },
    {
      "type": "WEB",
      "url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01044.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MJR6-9X82-8CGP

Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31
VLAI
Details

Dreamweaver version 20.2 (and earlier) is affected by an uncontrolled search path element vulnerability that could lead to privilege escalation. Successful exploitation could result in a local user with permissions to write to the file system running system commands with administrator privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24425"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-427"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-21T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Dreamweaver version 20.2 (and earlier) is affected by an uncontrolled search path element vulnerability that could lead to privilege escalation. Successful exploitation could result in a local user with permissions to write to the file system running system commands with administrator privileges.",
  "id": "GHSA-mjr6-9x82-8cgp",
  "modified": "2022-05-24T17:31:43Z",
  "published": "2022-05-24T17:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24425"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/dreamweaver/apsb20-55.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design Implementation

Strategy: Attack Surface Reduction

Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Mitigation
Implementation

Strategy: Attack Surface Reduction

Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.

Mitigation
Implementation

Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a denylist approach, it might not be a complete solution.

Mitigation
Implementation

Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.

CAPEC-38: Leveraging/Manipulating Configuration File Search Paths

This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.

CAPEC-471: Search Order Hijacking

An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded.