CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1992 vulnerabilities reference this CWE, most recent first.
GHSA-G2X6-C7HH-8CFM
Vulnerability from github – Published: 2022-05-17 01:27 – Updated: 2022-05-17 01:27axiom-test.sh in axiom 20100701-1.1 uses tempfile to create a safe temporary file but appends a suffix to the original filename and writes to this new filename, which allows local users to overwrite arbitrary files via a symlink attack on the new filename.
{
"affected": [],
"aliases": [
"CVE-2014-1640"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-01-28T00:55:00Z",
"severity": "LOW"
},
"details": "axiom-test.sh in axiom 20100701-1.1 uses tempfile to create a safe temporary file but appends a suffix to the original filename and writes to this new filename, which allows local users to overwrite arbitrary files via a symlink attack on the new filename.",
"id": "GHSA-g2x6-c7hh-8cfm",
"modified": "2022-05-17T01:27:07Z",
"published": "2022-05-17T01:27:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1640"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90663"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736358"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/01/22/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/01/22/4"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/102383"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-G37G-6895-QW74
Vulnerability from github – Published: 2026-07-18 18:30 – Updated: 2026-07-18 18:30A vulnerability was identified in nearai ironclaw up to 0.29.1. The affected element is the function validate_path of the file src/tools/builtin/path_utils.rs of the component write_file. The manipulation leads to link following. Local access is required to approach this attack. The exploit is publicly available and might be used. The identifier of the patch is 369ff3d240cf3c0787b50e1e9f182e1a06c71255. It is recommended to apply a patch to fix this issue.
{
"affected": [],
"aliases": [
"CVE-2026-16130"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-18T18:16:37Z",
"severity": "LOW"
},
"details": "A vulnerability was identified in nearai ironclaw up to 0.29.1. The affected element is the function validate_path of the file src/tools/builtin/path_utils.rs of the component write_file. The manipulation leads to link following. Local access is required to approach this attack. The exploit is publicly available and might be used. The identifier of the patch is 369ff3d240cf3c0787b50e1e9f182e1a06c71255. It is recommended to apply a patch to fix this issue.",
"id": "GHSA-g37g-6895-qw74",
"modified": "2026-07-18T18:30:21Z",
"published": "2026-07-18T18:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-16130"
},
{
"type": "WEB",
"url": "https://github.com/nearai/ironclaw/issues/4797"
},
{
"type": "WEB",
"url": "https://github.com/nearai/ironclaw/pull/4869"
},
{
"type": "WEB",
"url": "https://github.com/nearai/ironclaw/commit/369ff3d240cf3c0787b50e1e9f182e1a06c71255"
},
{
"type": "WEB",
"url": "https://github.com/nearai/ironclaw"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-16130"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/856883"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/379848"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/379848/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G39H-563W-FG8C
Vulnerability from github – Published: 2025-11-11 00:30 – Updated: 2025-12-08 18:30A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user’s authorized keys—thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19, and was fixed in versions 3.14.19, 3.15.14, 3.16.10, 3.17.7 and 3.18.1. This vulnerability was reported via the GitHub Bug Bounty program.
{
"affected": [],
"aliases": [
"CVE-2025-11578"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-10T23:15:41Z",
"severity": "HIGH"
},
"details": "A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user\u2019s authorized keys\u2014thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19, and was fixed in versions 3.14.19, 3.15.14, 3.16.10, 3.17.7 and 3.18.1. This vulnerability was reported via the GitHub Bug Bounty program.",
"id": "GHSA-g39h-563w-fg8c",
"modified": "2025-12-08T18:30:25Z",
"published": "2025-11-11T00:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11578"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.19"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.20"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.14"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.15"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.10"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.11"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.7"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.8"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.1"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G3CJ-QPC9-PHM2
Vulnerability from github – Published: 2023-04-18 18:30 – Updated: 2024-04-04 03:32An NTFS Junction condition exists in the Qualys Cloud Agent for Windows platform in versions before 4.8.0.31. Attackers may write files to arbitrary locations via a local attack vector. This allows attackers to assume the privileges of the process, and they may delete or otherwise on unauthorized files, allowing for the potential modification or deletion of sensitive files limited only to that specific directory/file object. This vulnerability is bounded only to the time of uninstallation and can only be exploited locally.
At the time of this disclosure, versions before 4.0 are classified as End of Life.
{
"affected": [],
"aliases": [
"CVE-2023-28141"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-18T16:15:09Z",
"severity": "MODERATE"
},
"details": "\nAn NTFS Junction condition exists in the Qualys Cloud Agent\nfor Windows platform in versions before 4.8.0.31. Attackers may write files to\narbitrary locations via a local attack vector. This allows attackers to assume\nthe privileges of the process, and they may delete or otherwise on unauthorized\nfiles, allowing for the potential modification or deletion of sensitive files\nlimited only to that specific directory/file object. This vulnerability is\nbounded only to the time of uninstallation and can only be exploited locally.\n\n\n\nAt the time of this disclosure, versions before 4.0 are\nclassified as End of Life.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n",
"id": "GHSA-g3cj-qpc9-phm2",
"modified": "2024-04-04T03:32:08Z",
"published": "2023-04-18T18:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28141"
},
{
"type": "WEB",
"url": "https://www.qualys.com/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G3QR-GJFX-RH5P
Vulnerability from github – Published: 2022-05-28 00:00 – Updated: 2022-06-09 00:00Trend Micro Maximum Security 2022 is vulnerable to a link following vulnerability that could allow a low privileged local user to manipulate the product’s secure erase feature to delete arbitrary files.
{
"affected": [],
"aliases": [
"CVE-2022-30687"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-27T00:15:00Z",
"severity": "HIGH"
},
"details": "Trend Micro Maximum Security 2022 is vulnerable to a link following vulnerability that could allow a low privileged local user to manipulate the product\u2019s secure erase feature to delete arbitrary files.",
"id": "GHSA-g3qr-gjfx-rh5p",
"modified": "2022-06-09T00:00:21Z",
"published": "2022-05-28T00:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30687"
},
{
"type": "WEB",
"url": "https://helpcenter.trendmicro.com/en-us/article/tmka-11017"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-789"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G44J-7VP3-68CV
Vulnerability from github – Published: 2022-02-15 01:57 – Updated: 2024-02-02 15:59Libcontainer 1.6.0, as used in Docker Engine, allows local users to escape containerization ("mount namespace breakout") and write to arbitrary file on the host system via a symlink attack in an image when respawning a container.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/docker/docker"
},
"ranges": [
{
"events": [
{
"introduced": "1.6.0"
},
{
"fixed": "1.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-3629"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-19T22:08:41Z",
"nvd_published_at": "2015-05-18T15:59:15Z",
"severity": "HIGH"
},
"details": "Libcontainer 1.6.0, as used in Docker Engine, allows local users to escape containerization (\"mount namespace breakout\") and write to arbitrary file on the host system via a symlink attack in an image when respawning a container.",
"id": "GHSA-g44j-7vp3-68cv",
"modified": "2024-02-02T15:59:34Z",
"published": "2022-02-15T01:57:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3629"
},
{
"type": "WEB",
"url": "https://github.com/docker/docker/commit/d5ebb60bddbabea0439213501f4f6ed494b23cba"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!searchin/docker-user/1.6.1/docker-user/47GZrihtr-4/nwgeOOFLexIJ"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#%21searchin/docker-user/1.6.1/docker-user/47GZrihtr-4/nwgeOOFLexIJ"
},
{
"type": "WEB",
"url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3629"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2015-05/msg00023.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/131835/Docker-Privilege-Escalation-Information-Disclosure.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2015/May/28"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/74558"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Arbitrary File Write in Libcontainer"
}
GHSA-G47J-994J-JC39
Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2023-01-31 18:30ZoneAlarm Anti-Ransomware before version 1.0.713 copies files for the report from a directory with low privileges. A sophisticated timed attacker can replace those files with malicious or linked content, such as exploiting CVE-2020-0896 on unpatched systems.
{
"affected": [],
"aliases": [
"CVE-2020-6012"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-04T14:15:00Z",
"severity": "LOW"
},
"details": "ZoneAlarm Anti-Ransomware before version 1.0.713 copies files for the report from a directory with low privileges. A sophisticated timed attacker can replace those files with malicious or linked content, such as exploiting CVE-2020-0896 on unpatched systems.",
"id": "GHSA-g47j-994j-jc39",
"modified": "2023-01-31T18:30:23Z",
"published": "2022-05-24T17:24:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6012"
},
{
"type": "WEB",
"url": "https://danishcyberdefence.dk/blog/zonealarm-check-point"
},
{
"type": "WEB",
"url": "https://www.zonealarm.com/anti-ransomware/release-history"
},
{
"type": "WEB",
"url": "https://www.zonealarm.com/software/extreme-security/release-history"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G555-PCG3-V642
Vulnerability from github – Published: 2022-05-17 05:53 – Updated: 2022-05-17 05:53tkman in tkman 2.2 allows local users to overwrite arbitrary files via a symlink attack on a (1) /tmp/tkman##### or (2) /tmp/ll temporary file.
{
"affected": [],
"aliases": [
"CVE-2008-5137"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-18T16:00:00Z",
"severity": "MODERATE"
},
"details": "tkman in tkman 2.2 allows local users to overwrite arbitrary files via a symlink attack on a (1) /tmp/tkman##### or (2) /tmp/ll temporary file.",
"id": "GHSA-g555-pcg3-v642",
"modified": "2022-05-17T05:53:11Z",
"published": "2022-05-17T05:53:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5137"
},
{
"type": "WEB",
"url": "http://lists.debian.org/debian-devel/2008/08/msg00285.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/32407"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-G5JP-8PCQ-GG3C
Vulnerability from github – Published: 2022-05-17 05:45 – Updated: 2022-05-17 05:45mailscanner 4.55.10 and other versions before 4.74.16-1 might allow local users to overwrite arbitrary files via a symlink attack on certain temporary files used by the (1) f-prot-autoupdate, (2) clamav-autoupdate, (3) panda-autoupdate.new, (4) trend-autoupdate.new, and (5) rav-autoupdate.new scripts in /etc/MailScanner/autoupdate/, a different vulnerability than CVE-2008-5140.
{
"affected": [],
"aliases": [
"CVE-2008-5312"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-12-03T17:30:00Z",
"severity": "MODERATE"
},
"details": "mailscanner 4.55.10 and other versions before 4.74.16-1 might allow local users to overwrite arbitrary files via a symlink attack on certain temporary files used by the (1) f-prot-autoupdate, (2) clamav-autoupdate, (3) panda-autoupdate.new, (4) trend-autoupdate.new, and (5) rav-autoupdate.new scripts in /etc/MailScanner/autoupdate/, a different vulnerability than CVE-2008-5140.",
"id": "GHSA-g5jp-8pcq-gg3c",
"modified": "2022-05-17T05:45:03Z",
"published": "2022-05-17T05:45:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5312"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506353#44"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/33117"
},
{
"type": "WEB",
"url": "http://www.mailscanner.info/ChangeLog"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/11/29/1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/32557"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-G5V4-5X39-VWHX
Vulnerability from github – Published: 2022-02-15 00:32 – Updated: 2022-10-25 20:26Impact
The directory support (#55) allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links.
A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs oras pull.
Precisely, the following users of the affected versions are impacted
- oras CLI users who runs oras pull.
- Go programs, which invokes github.com/deislabs/oras/pkg/content.FileStore.
Patches
The problem has been patched by the PR linked with this advisory. Users should upgrade their oras CLI and packages to 0.9.0.
Workarounds
For oras CLI users, there is no workarounds other than pulling from a trusted artifact provider.
For oras package users, the workaround is to not use github.com/deislabs/oras/pkg/content.FileStore, and use other content stores instead, or pull from a trusted artifact provider.
References
For more information
If you have any questions or comments about this advisory: * Open an issue on the GitHub repo * Email the list of maintainers
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/deislabs/oras"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21272"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-21T14:42:50Z",
"nvd_published_at": "2021-01-25T19:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nThe directory support (#55) allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links.\n\nA well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs `oras pull`. \n\nPrecisely, the following users of the affected versions are impacted\n- `oras` CLI users who runs `oras pull`.\n- Go programs, which invokes `github.com/deislabs/oras/pkg/content.FileStore`.\n\n### Patches\nThe problem has been patched by the PR linked with this advisory. Users should upgrade their `oras` CLI and packages to `0.9.0`.\n\n### Workarounds\nFor `oras` CLI users, there is no workarounds other than pulling from a trusted artifact provider.\n\nFor `oras` package users, the workaround is to not use `github.com/deislabs/oras/pkg/content.FileStore`, and use other content stores instead, or pull from a trusted artifact provider.\n\n### References\n- [Zip Slip](https://github.com/snyk/zip-slip-vulnerability)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue on the [GitHub repo](https://github.com/deislabs/oras)\n* Email the [list of maintainers](https://github.com/deislabs/oras/blob/main/MAINTAINERS)",
"id": "GHSA-g5v4-5x39-vwhx",
"modified": "2022-10-25T20:26:42Z",
"published": "2022-02-15T00:32:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21272"
},
{
"type": "WEB",
"url": "https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e"
},
{
"type": "PACKAGE",
"url": "https://github.com/deislabs/oras"
},
{
"type": "WEB",
"url": "https://github.com/deislabs/oras/releases/tag/v0.9.0"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/github.com/deislabs/oras/pkg/oras"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2021-0099"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Zip slip directory exploit in github.com/deislabs/oras"
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.