Common Weakness Enumeration

CWE-428

Allowed

Unquoted Search Path or Element

Abstraction: Base · Status: Draft

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

761 vulnerabilities reference this CWE, most recent first.

GHSA-5CHH-QR8V-GGJR

Vulnerability from github – Published: 2023-05-11 09:30 – Updated: 2023-05-11 09:30
VLAI
Details

A vulnerability, which was classified as problematic, has been found in DigitalPersona FPSensor 1.0.0.1. This issue affects some unknown processing of the file C:\Program Files (x86)\FPSensor\bin\DpHost.exe. The manipulation leads to unquoted search path. Attacking locally is a requirement. The identifier VDB-228773 was assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2644"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-11T07:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as problematic, has been found in DigitalPersona FPSensor 1.0.0.1. This issue affects some unknown processing of the file C:\\Program Files (x86)\\FPSensor\\bin\\DpHost.exe. The manipulation leads to unquoted search path. Attacking locally is a requirement. The identifier VDB-228773 was assigned to this vulnerability.",
  "id": "GHSA-5chh-qr8v-ggjr",
  "modified": "2023-05-11T09:30:24Z",
  "published": "2023-05-11T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2644"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.228773"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.228773"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5FGG-W666-2WMP

Vulnerability from github – Published: 2026-02-05 00:31 – Updated: 2026-02-05 00:31
VLAI
Details

Easy-Hide-IP 5.0.0.3 contains an unquoted service path vulnerability in the EasyRedirect service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe' to inject malicious executables and escalate privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-25273"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-05T00:15:51Z",
    "severity": "HIGH"
  },
  "details": "Easy-Hide-IP 5.0.0.3 contains an unquoted service path vulnerability in the EasyRedirect service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in \u0027C:\\Program Files\\Easy-Hide-IP\\rdr\\EasyRedirect.exe\u0027 to inject malicious executables and escalate privileges.",
  "id": "GHSA-5fgg-w666-2wmp",
  "modified": "2026-02-05T00:31:01Z",
  "published": "2026-02-05T00:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25273"
    },
    {
      "type": "WEB",
      "url": "https://easy-hide-ip.com"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/47712"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/easy-hide-ip-easyredirect-unquoted-service-path"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5FQ3-X65J-GVX5

Vulnerability from github – Published: 2026-06-19 15:33 – Updated: 2026-06-19 15:33
VLAI
Details

Comodo Chromodo Browser 52.15.25.664 contains an unquoted service path vulnerability in the ChromodoUpdater service that runs with SYSTEM privileges. A local attacker can insert a malicious executable in the service path and execute arbitrary code with elevated privileges upon service restart or system reboot.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-20088"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-19T15:16:32Z",
    "severity": "HIGH"
  },
  "details": "Comodo Chromodo Browser 52.15.25.664 contains an unquoted service path vulnerability in the ChromodoUpdater service that runs with SYSTEM privileges. A local attacker can insert a malicious executable in the service path and execute arbitrary code with elevated privileges upon service restart or system reboot.",
  "id": "GHSA-5fq3-x65j-gvx5",
  "modified": "2026-06-19T15:33:18Z",
  "published": "2026-06-19T15:33:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-20088"
    },
    {
      "type": "WEB",
      "url": "https://www.comodo.com"
    },
    {
      "type": "WEB",
      "url": "https://www.comodo.com/home/browsers-toolbars/chromodo-private-internet-browser.php"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/40473"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/comodo-chromodo-browser-unquoted-service-path-privilege-escalation"
    },
    {
      "type": "WEB",
      "url": "http://yildirimyunus.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5G78-6PRG-FX59

Vulnerability from github – Published: 2024-07-15 12:30 – Updated: 2024-07-15 12:30
VLAI
Details

Unquoted Search Path or Element vulnerability in ABB Mint Workbench.

A local attacker who successfully exploited this vulnerability could gain elevated privileges by inserting an executable file in the path of the affected service.

This issue affects Mint Workbench I versions: from 5866 before 5868.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-5402"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-15T12:15:02Z",
    "severity": "MODERATE"
  },
  "details": "Unquoted Search Path or Element vulnerability in ABB Mint Workbench.\n\n\n\nA local attacker who successfully exploited this vulnerability could gain elevated privileges by inserting an executable file in the path of the affected service.\n\n\nThis issue affects Mint Workbench I versions: from 5866 before 5868.",
  "id": "GHSA-5g78-6prg-fx59",
  "modified": "2024-07-15T12:30:39Z",
  "published": "2024-07-15T12:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5402"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7912\u0026LanguageCode=en\u0026DocumentPartId=1\u0026Action=Launch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5GJ7-JF77-Q2Q2

Vulnerability from github – Published: 2026-03-03 21:34 – Updated: 2026-03-30 13:21
VLAI
Summary
OpenClaw: safeBins static default trusted dirs allow writable-dir binary hijack (`jq`)
Details

Summary

In openclaw<=2026.2.23, safe-bin trust in allowlist mode relied on static default trusted directories that included package-manager paths (notably /opt/homebrew/bin and /usr/local/bin). When a same-name binary (for example jq) is placed in one of those trusted default directories, safe-bin evaluation can be satisfied and execute the attacker-controlled binary.

Impact

This is an exec allowlist safeBins policy bypass that can lead to command execution in the OpenClaw runtime context. Severity is set to Medium given the required ability to write into trusted host binary directories.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Vulnerable versions: <= 2026.2.23
  • Patched versions: >= 2026.2.24 (planned next npm release)
  • Latest published npm version at triage time (2026-02-24): 2026.2.23

Root Cause

  • Default safe-bin trusted directories included package-manager/user-managed paths.
  • Trust decision was directory-membership only for resolved executable paths.

Remediation

  • Restrict default safe-bin trusted directories to immutable system paths: /bin, /usr/bin.
  • Require explicit operator opt-in for package-manager/user paths via tools.exec.safeBinTrustedDirs.

Fix Commit(s)

  • b67e600bff696ff2ed9b470826590c0ce6b3bb0a

Release Process Note

patched_versions is pre-set to the planned next release (2026.2.24). Once npm release 2026.2.24 is published, this advisory should be ready for publish without additional version edits.

OpenClaw thanks @tdjackey for reporting.

Publication Update (2026-02-25)

openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks >= 2026.2.24 as patched.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.2.23"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32009"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426",
      "CWE-428",
      "CWE-829"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T21:34:45Z",
    "nvd_published_at": "2026-03-19T22:16:33Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nIn `openclaw\u003c=2026.2.23`, safe-bin trust in allowlist mode relied on static default trusted directories that included package-manager paths (notably `/opt/homebrew/bin` and `/usr/local/bin`).\nWhen a same-name binary (for example `jq`) is placed in one of those trusted default directories, safe-bin evaluation can be satisfied and execute the attacker-controlled binary.\n\n### Impact\nThis is an exec allowlist `safeBins` policy bypass that can lead to command execution in the OpenClaw runtime context.\nSeverity is set to Medium given the required ability to write into trusted host binary directories.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Vulnerable versions: `\u003c= 2026.2.23`\n- Patched versions: `\u003e= 2026.2.24` (planned next npm release)\n- Latest published npm version at triage time (2026-02-24): `2026.2.23`\n\n### Root Cause\n- Default safe-bin trusted directories included package-manager/user-managed paths.\n- Trust decision was directory-membership only for resolved executable paths.\n\n### Remediation\n- Restrict default safe-bin trusted directories to immutable system paths: `/bin`, `/usr/bin`.\n- Require explicit operator opt-in for package-manager/user paths via `tools.exec.safeBinTrustedDirs`.\n\n### Fix Commit(s)\n- `b67e600bff696ff2ed9b470826590c0ce6b3bb0a`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.24`).\nOnce npm release `2026.2.24` is published, this advisory should be ready for publish without additional version edits.\n\nOpenClaw thanks @tdjackey for reporting.\n\n\n### Publication Update (2026-02-25)\n`openclaw@2026.2.24` is published on npm and contains the fix commit(s) listed above. This advisory now marks `\u003e= 2026.2.24` as patched.",
  "id": "GHSA-5gj7-jf77-q2q2",
  "modified": "2026-03-30T13:21:53Z",
  "published": "2026-03-03T21:34:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5gj7-jf77-q2q2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32009"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/b67e600bff696ff2ed9b470826590c0ce6b3bb0a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-binary-hijacking-via-static-default-trusted-directories-in-safebins"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: safeBins static default trusted dirs allow writable-dir binary hijack (`jq`)"
}

GHSA-5HH8-V8WH-8F46

Vulnerability from github – Published: 2026-01-15 18:31 – Updated: 2026-01-15 18:31
VLAI
Details

HTTPDebuggerPro 9.11 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables and gain elevated access to the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47762"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-15T16:16:07Z",
    "severity": "HIGH"
  },
  "details": "HTTPDebuggerPro 9.11 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables and gain elevated access to the system.",
  "id": "GHSA-5hh8-v8wh-8f46",
  "modified": "2026-01-15T18:31:30Z",
  "published": "2026-01-15T18:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47762"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/50545"
    },
    {
      "type": "WEB",
      "url": "https://www.httpdebugger.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5M6V-4W72-R82Q

Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-05-24 17:49
VLAI
Details

Aviatrix VPN Client before 2.14.14 on Windows has an unquoted search path that enables local privilege escalation to the SYSTEM user, if the machine is misconfigured to allow unprivileged users to write to directories that are supposed to be restricted to administrators.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-31776"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-29T01:15:00Z",
    "severity": "HIGH"
  },
  "details": "Aviatrix VPN Client before 2.14.14 on Windows has an unquoted search path that enables local privilege escalation to the SYSTEM user, if the machine is misconfigured to allow unprivileged users to write to directories that are supposed to be restricted to administrators.",
  "id": "GHSA-5m6v-4w72-r82q",
  "modified": "2022-05-24T17:49:05Z",
  "published": "2022-05-24T17:49:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31776"
    },
    {
      "type": "WEB",
      "url": "https://docs.aviatrix.com/Downloads/samlclient.html"
    },
    {
      "type": "WEB",
      "url": "https://docs.aviatrix.com/Downloads/samlclient.html#windows-win"
    },
    {
      "type": "WEB",
      "url": "https://docs.aviatrix.com/HowTos/changelog.html#aviatrix-vpn-client-changelog"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5MF6-7WVP-G69H

Vulnerability from github – Published: 2024-03-01 09:31 – Updated: 2024-03-01 09:31
VLAI
Details

A local attacker can gain administrative privileges by inserting an executable file in the path of the affected product.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25552"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-01T08:15:37Z",
    "severity": "HIGH"
  },
  "details": "A local attacker can gain administrative privileges by inserting an executable file in the path of the affected product.",
  "id": "GHSA-5mf6-7wvp-g69h",
  "modified": "2024-03-01T09:31:06Z",
  "published": "2024-03-01T09:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25552"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en/advisories/VDE-2024-018"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5MJC-G7H8-FCFQ

Vulnerability from github – Published: 2026-01-14 00:31 – Updated: 2026-01-14 00:31
VLAI
Details

VIVE Runtime Service 1.0.0.4 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific system directories to gain LocalSystem access during service startup.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50918"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-13T23:15:55Z",
    "severity": "HIGH"
  },
  "details": "VIVE Runtime Service 1.0.0.4 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific system directories to gain LocalSystem access during service startup.",
  "id": "GHSA-5mjc-g7h8-fcfq",
  "modified": "2026-01-14T00:31:28Z",
  "published": "2026-01-14T00:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50918"
    },
    {
      "type": "WEB",
      "url": "https://developer.vive.com/resources/downloads"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/50824"
    },
    {
      "type": "WEB",
      "url": "https://www.vive.com"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/vive-runtime-service-viveagentservice-unquoted-service-path"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5QQH-X2J3-M856

Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20
VLAI
Details

There is an Unquoted Service Path in NI Service Locator (nisvcloc.exe) in versions prior to 18.0 on Windows. This may allow an authorized local user to insert arbitrary code into the unquoted service path and escalate privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42563"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-428"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-12T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "There is an Unquoted Service Path in NI Service Locator (nisvcloc.exe) in versions prior to 18.0 on Windows. This may allow an authorized local user to insert arbitrary code into the unquoted service path and escalate privileges.",
  "id": "GHSA-5qqh-x2j3-m856",
  "modified": "2022-05-24T19:20:31Z",
  "published": "2022-05-24T19:20:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42563"
    },
    {
      "type": "WEB",
      "url": "https://www.ni.com/en-us/support/documentation/supplemental/21/unquoted-service-path-in-ni-service-locator.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Implementation

Properly quote the full search path before executing a program on the system.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

No CAPEC attack patterns related to this CWE.