CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1990 vulnerabilities reference this CWE, most recent first.
GHSA-FXVQ-H88X-3JFR
Vulnerability from github – Published: 2024-09-18 09:30 – Updated: 2026-05-12 12:32In the Linux kernel, the following vulnerability has been resolved:
Squashfs: sanity check symbolic link size
Syzkiller reports a "KMSAN: uninit-value in pick_link" bug.
This is caused by an uninitialised page, which is ultimately caused by a corrupted symbolic link size read from disk.
The reason why the corrupted symlink size causes an uninitialised page is due to the following sequence of events:
-
squashfs_read_inode() is called to read the symbolic link from disk. This assigns the corrupted value 3875536935 to inode->i_size.
-
Later squashfs_symlink_read_folio() is called, which assigns this corrupted value to the length variable, which being a signed int, overflows producing a negative number.
-
The following loop that fills in the page contents checks that the copied bytes is less than length, which being negative means the loop is skipped, producing an uninitialised page.
This patch adds a sanity check which checks that the symbolic link size is not larger than expected.
--
V2: fix spelling mistake.
{
"affected": [],
"aliases": [
"CVE-2024-46744"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-18T08:15:03Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: sanity check symbolic link size\n\nSyzkiller reports a \"KMSAN: uninit-value in pick_link\" bug.\n\nThis is caused by an uninitialised page, which is ultimately caused\nby a corrupted symbolic link size read from disk.\n\nThe reason why the corrupted symlink size causes an uninitialised\npage is due to the following sequence of events:\n\n1. squashfs_read_inode() is called to read the symbolic\n link from disk. This assigns the corrupted value\n 3875536935 to inode-\u003ei_size.\n\n2. Later squashfs_symlink_read_folio() is called, which assigns\n this corrupted value to the length variable, which being a\n signed int, overflows producing a negative number.\n\n3. The following loop that fills in the page contents checks that\n the copied bytes is less than length, which being negative means\n the loop is skipped, producing an uninitialised page.\n\nThis patch adds a sanity check which checks that the symbolic\nlink size is not larger than expected.\n\n--\n\nV2: fix spelling mistake.",
"id": "GHSA-fxvq-h88x-3jfr",
"modified": "2026-05-12T12:32:07Z",
"published": "2024-09-18T09:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46744"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/087f25b2d36adae19951114ffcbb7106ed405ebb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1b9451ba6f21478a75288ea3e3fca4be35e2a438"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5c8906de98d0d7ad42ff3edf2cb6cd7e0ea658c4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/810ee43d9cd245d138a2733d87a24858a23f577d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c3af7e460a526007e4bed1ce3623274a1a6afe5e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ef4e249971eb77ec33d74c5c3de1e2576faf6c90"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f82cb7f24032ed023fc67d26ea9bf322d8431a90"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fac5e82ab1334fc8ed6ff7183702df634bd1d93d"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FXW7-VP2V-8V43
Vulnerability from github – Published: 2022-05-17 05:51 – Updated: 2022-05-17 05:51screenie in screenie 1.30.0 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/.screenie.##### temporary file.
{
"affected": [],
"aliases": [
"CVE-2008-5371"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-12-08T23:30:00Z",
"severity": "MODERATE"
},
"details": "screenie in screenie 1.30.0 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/.screenie.##### temporary file.",
"id": "GHSA-fxw7-vp2v-8v43",
"modified": "2022-05-17T05:51:59Z",
"published": "2022-05-17T05:51:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5371"
},
{
"type": "WEB",
"url": "http://lists.debian.org/debian-devel/2008/08/msg00283.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/32737"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FXWP-MH6R-G9MM
Vulnerability from github – Published: 2022-05-14 03:46 – Updated: 2022-05-14 03:46clipedit in the Clipboard module for Perl allows local users to delete arbitrary files via a symlink attack on /tmp/clipedit$$.
{
"affected": [],
"aliases": [
"CVE-2014-5509"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-08T19:29:00Z",
"severity": "MODERATE"
},
"details": "clipedit in the Clipboard module for Perl allows local users to delete arbitrary files via a symlink attack on /tmp/clipedit$$.",
"id": "GHSA-fxwp-mh6r-g9mm",
"modified": "2022-05-14T03:46:39Z",
"published": "2022-05-14T03:46:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5509"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1135624"
},
{
"type": "WEB",
"url": "https://rt.cpan.org/Public/Bug/Display.html?id=98435"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/08/30/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/69473"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G26J-XPV7-CFWG
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-12-08 03:30A UNIX Symbolic Link (Symlink) Following vulnerability in chkstat of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15, SUSE Linux Enterprise Server 11 set permissions intended for specific binaries on other binaries because it erroneously followed symlinks. The symlinks can't be controlled by attackers on default systems, so exploitation is difficult. This issue affects: SUSE Linux Enterprise Server 12 permissions versions prior to 2015.09.28.1626-17.27.1. SUSE Linux Enterprise Server 15 permissions versions prior to 20181116-9.23.1. SUSE Linux Enterprise Server 11 permissions versions prior to 2013.1.7-0.6.12.1.
{
"affected": [],
"aliases": [
"CVE-2020-8013"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-02T17:15:00Z",
"severity": "LOW"
},
"details": "A UNIX Symbolic Link (Symlink) Following vulnerability in chkstat of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15, SUSE Linux Enterprise Server 11 set permissions intended for specific binaries on other binaries because it erroneously followed symlinks. The symlinks can\u0027t be controlled by attackers on default systems, so exploitation is difficult. This issue affects: SUSE Linux Enterprise Server 12 permissions versions prior to 2015.09.28.1626-17.27.1. SUSE Linux Enterprise Server 15 permissions versions prior to 20181116-9.23.1. SUSE Linux Enterprise Server 11 permissions versions prior to 2013.1.7-0.6.12.1.",
"id": "GHSA-g26j-xpv7-cfwg",
"modified": "2022-12-08T03:30:33Z",
"published": "2022-05-24T17:10:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8013"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1163922"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00010.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G29R-VM3J-H4PJ
Vulnerability from github – Published: 2025-05-09 18:30 – Updated: 2025-05-09 18:30Link Following Local Privilege Escalation Vulnerability in TuneupSvc in Gen Digital Inc. Avast Cleanup Premium Version 24.2.16593.17810 on Windows 10 Pro x64 allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via creating a symbolic link and leveraging a TOCTTOU (time-of-check to time-of-use) attack.
{
"affected": [],
"aliases": [
"CVE-2024-13962"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-09T16:15:23Z",
"severity": "HIGH"
},
"details": "Link Following Local Privilege Escalation Vulnerability in TuneupSvc in Gen Digital Inc. Avast Cleanup Premium Version 24.2.16593.17810 on Windows 10 Pro x64 allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via creating a symbolic link and leveraging a TOCTTOU (time-of-check to time-of-use) attack.",
"id": "GHSA-g29r-vm3j-h4pj",
"modified": "2025-05-09T18:30:37Z",
"published": "2025-05-09T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13962"
},
{
"type": "WEB",
"url": "https://www.gendigital.com/us/en/contact-us/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G2CQ-GP92-98C4
Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22NVIDIA Windows GPU Display driver contains a vulnerability in the 3D vision component in which the stereo service software, when opening a file, does not check for hard links. This behavior may lead to code execution, denial of service or escalation of privileges.
{
"affected": [],
"aliases": [
"CVE-2019-5665"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-27T23:29:00Z",
"severity": "HIGH"
},
"details": "NVIDIA Windows GPU Display driver contains a vulnerability in the 3D vision component in which the stereo service software, when opening a file, does not check for hard links. This behavior may lead to code execution, denial of service or escalation of privileges.",
"id": "GHSA-g2cq-gp92-98c4",
"modified": "2022-05-13T01:22:32Z",
"published": "2022-05-13T01:22:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5665"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/4772"
},
{
"type": "WEB",
"url": "http://support.lenovo.com/us/en/solutions/LEN-26250"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G2J6-57V7-GM8C
Vulnerability from github – Published: 2023-03-30 20:20 – Updated: 2024-12-06 15:31Impact
It was found that AppArmor, and potentially SELinux, can be bypassed when /proc inside the container is symlinked with a specific mount configuration.
Patches
Fixed in runc v1.1.5, by prohibiting symlinked /proc: https://github.com/opencontainers/runc/pull/3785
This PR fixes CVE-2023-27561 as well.
Workarounds
Avoid using an untrusted container image.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/opencontainers/runc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-28642"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-30T20:20:23Z",
"nvd_published_at": "2023-03-29T19:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nIt was found that AppArmor, and potentially SELinux, can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration.\n\n### Patches\nFixed in runc v1.1.5, by prohibiting symlinked `/proc`: https://github.com/opencontainers/runc/pull/3785\n\nThis PR fixes CVE-2023-27561 as well.\n\n### Workarounds\nAvoid using an untrusted container image.\n\n",
"id": "GHSA-g2j6-57v7-gm8c",
"modified": "2024-12-06T15:31:17Z",
"published": "2023-03-30T20:20:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28642"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/pull/3785"
},
{
"type": "PACKAGE",
"url": "https://github.com/opencontainers/runc"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20241206-0005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "runc AppArmor bypass with symlinked /proc"
}
GHSA-G2WF-V8Q9-85JJ
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-08-06 00:00Absolute Path Traversal vulnerability in FileviewDoc in QSAN Storage Manager allows remote authenticated attackers access arbitrary files by injecting the Symbolic Link following the Url path parameter.
{
"affected": [],
"aliases": [
"CVE-2021-32509"
],
"database_specific": {
"cwe_ids": [
"CWE-59",
"CWE-61"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-07T14:15:00Z",
"severity": "MODERATE"
},
"details": "Absolute Path Traversal vulnerability in FileviewDoc in QSAN Storage Manager allows remote authenticated attackers access arbitrary files by injecting the Symbolic Link following the Url path parameter.",
"id": "GHSA-g2wf-v8q9-85jj",
"modified": "2022-08-06T00:00:52Z",
"published": "2022-05-24T19:07:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32509"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-4865-0c967-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G2WX-PHQF-J84Q
Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2022-05-13 01:04systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file.
{
"affected": [],
"aliases": [
"CVE-2017-18078"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-29T05:29:00Z",
"severity": "HIGH"
},
"details": "systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file.",
"id": "GHSA-g2wx-phqf-j84q",
"modified": "2022-05-13T01:04:10Z",
"published": "2022-05-13T01:04:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18078"
},
{
"type": "WEB",
"url": "https://github.com/systemd/systemd/issues/7736"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00022.html"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/43935"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2018/01/29/4"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2018-02/msg00109.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/146184/systemd-Local-Privilege-Escalation.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2018/01/29/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G2X6-C7HH-8CFM
Vulnerability from github – Published: 2022-05-17 01:27 – Updated: 2022-05-17 01:27axiom-test.sh in axiom 20100701-1.1 uses tempfile to create a safe temporary file but appends a suffix to the original filename and writes to this new filename, which allows local users to overwrite arbitrary files via a symlink attack on the new filename.
{
"affected": [],
"aliases": [
"CVE-2014-1640"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-01-28T00:55:00Z",
"severity": "LOW"
},
"details": "axiom-test.sh in axiom 20100701-1.1 uses tempfile to create a safe temporary file but appends a suffix to the original filename and writes to this new filename, which allows local users to overwrite arbitrary files via a symlink attack on the new filename.",
"id": "GHSA-g2x6-c7hh-8cfm",
"modified": "2022-05-17T01:27:07Z",
"published": "2022-05-17T01:27:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1640"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90663"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736358"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/01/22/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/01/22/4"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/102383"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.