CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1990 vulnerabilities reference this CWE, most recent first.
GHSA-Q8M8-7JGV-237Q
Vulnerability from github – Published: 2022-05-24 17:09 – Updated: 2022-05-24 17:09UNIX Symbolic Link (Symlink) Following vulnerability in the cronjob shipped with nagios of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 11; openSUSE Factory allows local attackers to cause cause DoS or potentially escalate privileges by winning a race. This issue affects: SUSE Linux Enterprise Server 12 nagios version 3.5.1-5.27 and prior versions. SUSE Linux Enterprise Server 11 nagios version 3.0.6-1.25.36.3.1 and prior versions. openSUSE Factory nagios version 4.4.5-2.1 and prior versions.
{
"affected": [],
"aliases": [
"CVE-2019-3698"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-28T14:15:00Z",
"severity": "MODERATE"
},
"details": "UNIX Symbolic Link (Symlink) Following vulnerability in the cronjob shipped with nagios of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 11; openSUSE Factory allows local attackers to cause cause DoS or potentially escalate privileges by winning a race. This issue affects: SUSE Linux Enterprise Server 12 nagios version 3.5.1-5.27 and prior versions. SUSE Linux Enterprise Server 11 nagios version 3.0.6-1.25.36.3.1 and prior versions. openSUSE Factory nagios version 4.4.5-2.1 and prior versions.",
"id": "GHSA-q8m8-7jgv-237q",
"modified": "2022-05-24T17:09:53Z",
"published": "2022-05-24T17:09:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3698"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1156309"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00014.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00022.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q8Q6-RCMJ-G45Q
Vulnerability from github – Published: 2022-05-02 03:50 – Updated: 2022-05-02 03:50MySQL 5.1.x before 5.1.41 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_real_data_home value. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079.
{
"affected": [],
"aliases": [
"CVE-2009-4030"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-11-30T17:30:00Z",
"severity": "MODERATE"
},
"details": "MySQL 5.1.x before 5.1.41 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_real_data_home value. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079.",
"id": "GHSA-q8q6-rcmj-g45q",
"modified": "2022-05-02T03:50:58Z",
"published": "2022-05-02T03:50:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-4030"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11116"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8156"
},
{
"type": "WEB",
"url": "http://bugs.mysql.com/bug.php?id=32167"
},
{
"type": "WEB",
"url": "http://dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"
},
{
"type": "WEB",
"url": "http://lists.mysql.com/commits/89940"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00005.html"
},
{
"type": "WEB",
"url": "http://marc.info/?l=oss-security\u0026m=125908040022018\u0026w=2"
},
{
"type": "WEB",
"url": "http://marc.info/?l=oss-security\u0026m=125908080222685\u0026w=2"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/38517"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/38573"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT4077"
},
{
"type": "WEB",
"url": "http://ubuntu.com/usn/usn-897-1"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2010/dsa-1997"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2009/11/19/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2009/11/24/6"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0109.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0110.html"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1397-1"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/1107"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q8QF-8PCX-VFW7
Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37The test suite in libopendkim in OpenDKIM through 2.10.3 allows local users to gain privileges via a symlink attack against the /tmp/testkeys file (related to t-testdata.h, t-setup.c, and t-cleanup.c). NOTE: this is applicable to persons who choose to engage in the "A number of self-test programs are included here for unit-testing the library" situation.
{
"affected": [],
"aliases": [
"CVE-2020-35766"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-28T20:15:00Z",
"severity": "HIGH"
},
"details": "The test suite in libopendkim in OpenDKIM through 2.10.3 allows local users to gain privileges via a symlink attack against the /tmp/testkeys file (related to t-testdata.h, t-setup.c, and t-cleanup.c). NOTE: this is applicable to persons who choose to engage in the \"A number of self-test programs are included here for unit-testing the library\" situation.",
"id": "GHSA-q8qf-8pcx-vfw7",
"modified": "2022-05-24T17:37:29Z",
"published": "2022-05-24T17:37:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35766"
},
{
"type": "WEB",
"url": "https://github.com/trusteddomainproject/OpenDKIM/issues/113"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q92F-7CWJ-W4W5
Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2022-10-12 19:00NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is not cleared, upon restarting with root privileges, Unbound/NSD will rewrite any file pointed at by the symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound/NSD is running on. It requires an attacker having access to the limited permission user Unbound/NSD runs as and point through the symlink to a critical file on the system.
{
"affected": [],
"aliases": [
"CVE-2020-28935"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-07T22:15:00Z",
"severity": "MODERATE"
},
"details": "NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is not cleared, upon restarting with root privileges, Unbound/NSD will rewrite any file pointed at by the symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound/NSD is running on. It requires an attacker having access to the limited permission user Unbound/NSD runs as and point through the symlink to a critical file on the system.",
"id": "GHSA-q92f-7cwj-w4w5",
"modified": "2022-10-12T19:00:39Z",
"published": "2022-05-24T17:35:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28935"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00017.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202101-38"
},
{
"type": "WEB",
"url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2020-28935.txt"
},
{
"type": "WEB",
"url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q93Q-4MXV-67MP
Vulnerability from github – Published: 2022-04-30 18:18 – Updated: 2022-04-30 18:18The tempname_ensure function in lib/routines.h in a2ps 4.14 and earlier, as used by the spy_user function and possibly other functions, allows local users to modify arbitrary files via a symlink attack on a temporary file.
{
"affected": [],
"aliases": [
"CVE-2001-1593"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-04-05T21:55:00Z",
"severity": "LOW"
},
"details": "The tempname_ensure function in lib/routines.h in a2ps 4.14 and earlier, as used by the spy_user function and possibly other functions, allows local users to modify arbitrary files via a symlink attack on a temporary file.",
"id": "GHSA-q93q-4mxv-67mp",
"modified": "2022-04-30T18:18:19Z",
"published": "2022-04-30T18:18:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2001-1593"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737385"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1060630"
},
{
"type": "WEB",
"url": "http://pkgs.fedoraproject.org/cgit/a2ps.git/plain/a2ps-4.13-security.patch"
},
{
"type": "WEB",
"url": "http://seclists.org/oss-sec/2014/q1/237"
},
{
"type": "WEB",
"url": "http://seclists.org/oss-sec/2014/q1/253"
},
{
"type": "WEB",
"url": "http://seclists.org/oss-sec/2014/q1/257"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2014/dsa-2892"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q94X-HHMW-P4M8
Vulnerability from github – Published: 2022-04-30 18:23 – Updated: 2022-04-30 18:23Unspecified vulnerability in pprosetup in Sun PatchPro 2.0 has unknown impact and attack vectors related to "unsafe use of temporary files."
{
"affected": [],
"aliases": [
"CVE-2002-2374"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2002-12-31T05:00:00Z",
"severity": "HIGH"
},
"details": "Unspecified vulnerability in pprosetup in Sun PatchPro 2.0 has unknown impact and attack vectors related to \"unsafe use of temporary files.\"",
"id": "GHSA-q94x-hhmw-p4m8",
"modified": "2022-04-30T18:23:03Z",
"published": "2022-04-30T18:23:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-2374"
},
{
"type": "WEB",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-113176-01-1\u0026searchclause=113176"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/5540"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q96Q-H836-9Q4H
Vulnerability from github – Published: 2022-09-29 00:00 – Updated: 2022-10-01 00:00Armoury Crate Service’s logging function has insufficient validation to check if the log file is a symbolic link. A physical attacker with general user privilege can modify the log file property to a symbolic link that points to arbitrary system file, causing the logging function to overwrite the system file and disrupt the system.
{
"affected": [],
"aliases": [
"CVE-2022-38699"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-28T04:15:00Z",
"severity": "MODERATE"
},
"details": "Armoury Crate Service\u2019s logging function has insufficient validation to check if the log file is a symbolic link. A physical attacker with general user privilege can modify the log file property to a symbolic link that points to arbitrary system file, causing the logging function to overwrite the system file and disrupt the system.",
"id": "GHSA-q96q-h836-9q4h",
"modified": "2022-10-01T00:00:24Z",
"published": "2022-09-29T00:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38699"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-6522-4eacb-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q9WC-HHM5-FJQ7
Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-05-29 00:38Improper handling of symbolic links in the installer of My Image Garden for macOS Version 3.6.8 or earlier may allow a local attacker with login privileges to exploit a specially crafted symbolic link during installation to modify permissions of files for which they would not normally have authorization.
{
"affected": [],
"aliases": [
"CVE-2026-6891"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-29T00:16:15Z",
"severity": "MODERATE"
},
"details": "Improper handling of symbolic links in the installer of My Image Garden for macOS Version 3.6.8 or earlier may allow a local attacker with login privileges to exploit a specially crafted symbolic link during installation to modify permissions of files for which they would not normally have authorization.",
"id": "GHSA-q9wc-hhm5-fjq7",
"modified": "2026-05-29T00:38:39Z",
"published": "2026-05-29T00:38:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6891"
},
{
"type": "WEB",
"url": "https://canon.jp/support/support-info/260528-2vulnerability-response"
},
{
"type": "WEB",
"url": "https://psirt.canon/advisory-information/cp2026-004"
},
{
"type": "WEB",
"url": "https://www.canon-europe.com/support/product-security"
},
{
"type": "WEB",
"url": "https://www.usa.canon.com/support/canon-product-advisories/CPA2026-004-Vulnerability-Remediation-for-My-Image-Garden-for-macOS-and-CUPS-Printer-Driver-for-macOS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QC66-3Q9C-GRV6
Vulnerability from github – Published: 2025-03-23 18:30 – Updated: 2025-03-23 18:30Improper link resolution before file access ('link following') in Microsoft Edge (Chromium-based) allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-29795"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-23T17:15:28Z",
"severity": "HIGH"
},
"details": "Improper link resolution before file access (\u0027link following\u0027) in Microsoft Edge (Chromium-based) allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-qc66-3q9c-grv6",
"modified": "2025-03-23T18:30:28Z",
"published": "2025-03-23T18:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29795"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29795"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QCC4-P59M-P54M
Vulnerability from github – Published: 2026-03-12 14:21 – Updated: 2026-03-12 14:21Summary
A sandbox boundary-validation gap in symlink alias handling allowed certain workspace-only write paths to be treated as in-boundary even when they could resolve outside the workspace/sandbox root.
Affected Packages / Versions
- Package: npm
openclaw - Affected versions:
<= 2026.2.25 - Latest published npm version included in affected range:
2026.2.25(checked on February 26, 2026) - Patched version (pre-set for release):
2026.2.26
Technical Details
In affected versions, dangling symlink hops could be accepted during boundary checks under missing-target conditions. For workspace-only write flows (including apply_patch), this could allow writes to resolve outside the configured workspace/sandbox boundary.
The fix resolves symlink targets through existing ancestors and fails closed when canonical resolution escapes the configured boundary.
Impact
- Boundary-confined write operations could be redirected outside the configured workspace/sandbox root.
- Primary impact is integrity of host-side files reachable from that path resolution.
Fix Commit(s)
4fd29a35bb85a1898ebff518364c467058b50e14
Release Process Note
patched_versions is pre-set to the planned next release (2026.2.26) so once npm 2026.2.26 is published, the advisory can be published without further field edits.
Thanks @tdjackey for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.25"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.26"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-367",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-12T14:21:54Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nA sandbox boundary-validation gap in symlink alias handling allowed certain workspace-only write paths to be treated as in-boundary even when they could resolve outside the workspace/sandbox root.\n\n### Affected Packages / Versions\n- Package: npm `openclaw`\n- Affected versions: `\u003c= 2026.2.25`\n- Latest published npm version included in affected range: `2026.2.25` (checked on February 26, 2026)\n- Patched version (pre-set for release): `2026.2.26`\n\n### Technical Details\nIn affected versions, dangling symlink hops could be accepted during boundary checks under missing-target conditions. For workspace-only write flows (including `apply_patch`), this could allow writes to resolve outside the configured workspace/sandbox boundary.\n\nThe fix resolves symlink targets through existing ancestors and fails closed when canonical resolution escapes the configured boundary.\n\n### Impact\n- Boundary-confined write operations could be redirected outside the configured workspace/sandbox root.\n- Primary impact is integrity of host-side files reachable from that path resolution.\n\n### Fix Commit(s)\n- `4fd29a35bb85a1898ebff518364c467058b50e14`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.26`) so once npm `2026.2.26` is published, the advisory can be published without further field edits.\n\nThanks @tdjackey for reporting.",
"id": "GHSA-qcc4-p59m-p54m",
"modified": "2026-03-12T14:21:54Z",
"published": "2026-03-12T14:21:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc4-p59m-p54m"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/4fd29a35bb85a1898ebff518364c467058b50e14"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw: Sandbox dangling-symlink alias handling could bypass workspace-only write boundary"
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.