Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1984 vulnerabilities reference this CWE, most recent first.

CVE-2022-21944 (GCVE-0-2022-21944)

Vulnerability from cvelistv5 – Published: 2022-01-26 09:10 – Updated: 2024-09-16 16:43
VLAI
Title
watchman: chown in watchman@.socket unit allows symlink attack
Summary
A UNIX Symbolic Link (Symlink) Following vulnerability in the systemd service file for watchman of openSUSE Backports SLE-15-SP3, Factory allows local attackers to escalate to root. This issue affects: openSUSE Backports SLE-15-SP3 watchman versions prior to 4.9.0. openSUSE Factory watchman versions prior to 4.9.0-9.1.
CWE
  • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
Impacted products
Vendor Product Version
openSUSE openSUSE Backports SLE-15-SP3 Affected: watchman , < 4.9.0 (custom)
Create a notification for this product.
openSUSE Factory Affected: watchman , < 4.9.0-9.1 (custom)
Create a notification for this product.
Date Public
2022-01-10 00:00
Credits
Matthias Gerstner of SUSE
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:00:53.687Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.suse.com/show_bug.cgi?id=1194470"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openSUSE Backports SLE-15-SP3",
          "vendor": "openSUSE",
          "versions": [
            {
              "lessThan": "4.9.0",
              "status": "affected",
              "version": "watchman",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Factory",
          "vendor": "openSUSE",
          "versions": [
            {
              "lessThan": "4.9.0-9.1",
              "status": "affected",
              "version": "watchman",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Matthias Gerstner of SUSE"
        }
      ],
      "datePublic": "2022-01-10T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A UNIX Symbolic Link (Symlink) Following vulnerability in the systemd service file for watchman of openSUSE Backports SLE-15-SP3, Factory allows local attackers to escalate to root. This issue affects: openSUSE Backports SLE-15-SP3 watchman versions prior to 4.9.0. openSUSE Factory watchman versions prior to 4.9.0-9.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-19T00:00:00.000Z",
        "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "shortName": "suse"
      },
      "references": [
        {
          "url": "https://bugzilla.suse.com/show_bug.cgi?id=1194470"
        }
      ],
      "source": {
        "advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1194470",
        "defect": [
          "1194470"
        ],
        "discovery": "INTERNAL"
      },
      "title": "watchman: chown in watchman@.socket unit allows symlink attack",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
    "assignerShortName": "suse",
    "cveId": "CVE-2022-21944",
    "datePublished": "2022-01-26T09:10:09.842Z",
    "dateReserved": "2021-12-16T00:00:00.000Z",
    "dateUpdated": "2024-09-16T16:43:44.172Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-4563 (GCVE-0-2022-4563)

Vulnerability from cvelistv5 – Published: 2022-12-16 00:00 – Updated: 2025-04-15 13:02
VLAI
Title
Freedom of the Press SecureDrop gpg-agent.conf symlink
Summary
A vulnerability was found in Freedom of the Press SecureDrop. It has been rated as critical. Affected by this issue is some unknown functionality of the file gpg-agent.conf. The manipulation leads to symlink following. Local access is required to approach this attack. The name of the patch is b0526a06f8ca713cce74b63e00d3730618d89691. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-215972.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-59 - Link Following -> CWE-61 Symlink Following
Assigner
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:41:45.676Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/freedomofpress/securedrop/pull/6704"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/freedomofpress/securedrop/commit/b0526a06f8ca713cce74b63e00d3730618d89691"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.215972"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/freedomofpress/securedrop/compare/2.5.0...2.5.1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://securedrop.org/news/2_5_1-security-advisory/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-4563",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-14T16:57:43.669869Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-15T13:02:30.123Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SecureDrop",
          "vendor": "Freedom of the Press",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Freedom of the Press SecureDrop. It has been rated as critical. Affected by this issue is some unknown functionality of the file gpg-agent.conf. The manipulation leads to symlink following. Local access is required to approach this attack. The name of the patch is b0526a06f8ca713cce74b63e00d3730618d89691. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-215972."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59 Link Following -\u003e CWE-61 Symlink Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-10T00:00:00.000Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "url": "https://github.com/freedomofpress/securedrop/pull/6704"
        },
        {
          "url": "https://github.com/freedomofpress/securedrop/commit/b0526a06f8ca713cce74b63e00d3730618d89691"
        },
        {
          "url": "https://vuldb.com/?id.215972"
        },
        {
          "url": "https://github.com/freedomofpress/securedrop/compare/2.5.0...2.5.1"
        },
        {
          "url": "https://securedrop.org/news/2_5_1-security-advisory/"
        }
      ],
      "title": "Freedom of the Press SecureDrop gpg-agent.conf symlink",
      "x_generator": "vuldb.com"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2022-4563",
    "datePublished": "2022-12-16T00:00:00.000Z",
    "dateReserved": "2022-12-16T00:00:00.000Z",
    "dateUpdated": "2025-04-15T13:02:30.123Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-4122 (GCVE-0-2022-4122)

Vulnerability from cvelistv5 – Published: 2022-12-08 00:00 – Updated: 2025-04-22 20:30
VLAI
Summary
A vulnerability was found in buildah. Incorrect following of symlinks while reading .containerignore and .dockerignore results in information disclosure.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-59
  • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
Impacted products
Vendor Product Version
n/a podman Affected: Podman 4.3.0
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:27:54.545Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144983"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/containers/podman/pull/16315"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-4122",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-22T20:29:19.385033Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-59",
                "description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-22T20:30:06.788Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "podman",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Podman 4.3.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in buildah. Incorrect following of symlinks while reading .containerignore and .dockerignore results in information disclosure."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-08T00:00:00.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144983"
        },
        {
          "url": "https://github.com/containers/podman/pull/16315"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-4122",
    "datePublished": "2022-12-08T00:00:00.000Z",
    "dateReserved": "2022-11-22T00:00:00.000Z",
    "dateUpdated": "2025-04-22T20:30:06.788Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-2898 (GCVE-0-2022-2898)

Vulnerability from cvelistv5 – Published: 2022-08-31 20:54 – Updated: 2025-04-16 16:10
VLAI
Title
Measuresoft ScadaPro Server and Client Link Following
Summary
Measuresoft ScadaPro Server and Client (All Versions) do not properly resolve links before file access; this could allow a denial-of-service condition.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
Impacted products
Date Public
2022-08-23 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:52:59.859Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-235-06"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-2898",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-16T15:50:09.511855Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-16T16:10:51.543Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ScadaPro Server and Client",
          "vendor": "Measuresoft",
          "versions": [
            {
              "status": "affected",
              "version": "All Versions"
            }
          ]
        }
      ],
      "datePublic": "2022-08-23T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Measuresoft ScadaPro Server and Client (All Versions) do not properly resolve links before file access; this could allow a denial-of-service condition."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-31T20:54:55.000Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-235-06"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Measuresoft ScadaPro Server and Client Link Following",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2022-08-23T18:30:00.000Z",
          "ID": "CVE-2022-2898",
          "STATE": "PUBLIC",
          "TITLE": "Measuresoft ScadaPro Server and Client Link Following"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ScadaPro Server and Client",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "All Versions"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Measuresoft"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Measuresoft ScadaPro Server and Client (All Versions) do not properly resolve links before file access; this could allow a denial-of-service condition."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-235-06",
              "refsource": "MISC",
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-235-06"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2022-2898",
    "datePublished": "2022-08-31T20:54:55.611Z",
    "dateReserved": "2022-08-18T00:00:00.000Z",
    "dateUpdated": "2025-04-16T16:10:51.543Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-2897 (GCVE-0-2022-2897)

Vulnerability from cvelistv5 – Published: 2022-08-31 20:54 – Updated: 2025-04-16 17:48
VLAI
Title
Measuresoft ScadaPro Server and Client Link Following
Summary
Measuresoft ScadaPro Server and Client (All Versions) do not properly resolve links before file access; this could allow privilege escalation..
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
Impacted products
Date Public
2022-08-23 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:52:59.807Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-235-06"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-2897",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-16T17:27:28.086217Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-16T17:48:20.720Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ScadaPro Server and Client",
          "vendor": "Measuresoft",
          "versions": [
            {
              "status": "affected",
              "version": "All Versions"
            }
          ]
        }
      ],
      "datePublic": "2022-08-23T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Measuresoft ScadaPro Server and Client (All Versions) do not properly resolve links before file access; this could allow privilege escalation.."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-31T20:54:55.000Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-235-06"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Measuresoft ScadaPro Server and Client Link Following",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2022-08-23T18:30:00.000Z",
          "ID": "CVE-2022-2897",
          "STATE": "PUBLIC",
          "TITLE": "Measuresoft ScadaPro Server and Client Link Following"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ScadaPro Server and Client",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "All Versions"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Measuresoft"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Measuresoft ScadaPro Server and Client (All Versions) do not properly resolve links before file access; this could allow privilege escalation.."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-235-06",
              "refsource": "MISC",
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-235-06"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2022-2897",
    "datePublished": "2022-08-31T20:54:55.020Z",
    "dateReserved": "2022-08-18T00:00:00.000Z",
    "dateUpdated": "2025-04-16T17:48:20.720Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-2145 (GCVE-0-2022-2145)

Vulnerability from cvelistv5 – Published: 2022-06-28 17:45 – Updated: 2024-08-03 00:24
VLAI
Title
Cloudlfare WARP Arbitrary File Overwrite
Summary
Cloudflare WARP client for Windows (up to v. 2022.5.309.0) allowed creation of mount points from its ProgramData folder. During installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files.
CWE
  • CWE-20 - Improper Input Validation
  • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
Impacted products
Vendor Product Version
Cloudflare WARP Affected: unspecified , < 2022.5.309.0 (custom)
Create a notification for this product.
Credits
Patrick Murphy (@hackandpwn)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:24:44.183Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-6fpc-qxmr-6wrq"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "Windows"
          ],
          "product": "WARP",
          "vendor": "Cloudflare",
          "versions": [
            {
              "lessThan": "2022.5.309.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Patrick Murphy (@hackandpwn)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cloudflare WARP client for Windows (up to v. 2022.5.309.0) allowed creation of mount points from its ProgramData folder. During installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-28T17:45:20.000Z",
        "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "shortName": "cloudflare"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-6fpc-qxmr-6wrq"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade WARP client for Windows to the newest version (at least 2022.5.309.0.)"
        }
      ],
      "source": {
        "advisory": "GHSA-6fpc-qxmr-6wrq",
        "discovery": "EXTERNAL"
      },
      "title": "Cloudlfare WARP Arbitrary File Overwrite",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@cloudflare.com",
          "ID": "CVE-2022-2145",
          "STATE": "PUBLIC",
          "TITLE": "Cloudlfare WARP Arbitrary File Overwrite"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "WARP",
                      "version": {
                        "version_data": [
                          {
                            "platform": "Windows",
                            "version_affected": "\u003c",
                            "version_value": "2022.5.309.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Cloudflare"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Patrick Murphy (@hackandpwn)"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cloudflare WARP client for Windows (up to v. 2022.5.309.0) allowed creation of mount points from its ProgramData folder. During installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20 Improper Input Validation"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/cloudflare/advisories/security/advisories/GHSA-6fpc-qxmr-6wrq",
              "refsource": "MISC",
              "url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-6fpc-qxmr-6wrq"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Upgrade WARP client for Windows to the newest version (at least 2022.5.309.0.)"
          }
        ],
        "source": {
          "advisory": "GHSA-6fpc-qxmr-6wrq",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
    "assignerShortName": "cloudflare",
    "cveId": "CVE-2022-2145",
    "datePublished": "2022-06-28T17:45:20.000Z",
    "dateReserved": "2022-06-21T00:00:00.000Z",
    "dateUpdated": "2024-08-03T00:24:44.183Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-0029 (GCVE-0-2022-0029)

Vulnerability from cvelistv5 – Published: 2022-09-14 16:35 – Updated: 2025-06-04 15:08
VLAI
Title
Cortex XDR Agent: Improper Link Resolution Vulnerability When Generating a Tech Support File
Summary
An improper link resolution vulnerability in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local attacker to read files on the system with elevated privileges when generating a tech support file.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
Impacted products
Vendor Product Version
Palo Alto Networks Cortex XDR Agent Affected: 7.7 , < 7.7.3 (custom)
Affected: 7.5 CE , < 7.5.101-CE (custom)
Affected: 5.0 , < 5.0.12-hotfix update (custom)
Create a notification for this product.
Palo Alto Networks Cortex XDR Agent Unaffected: 7.8 all
Unaffected: 7.7.3 , < 7.7* (custom)
Unaffected: 7.5.101-CE , < 7.5 CE* (custom)
Unaffected: 5.0.12-hotfix update , < 5.0* (custom)
Create a notification for this product.
Date Public
2022-09-14 00:00
Credits
Palo Alto Networks thanks Diego García of INCIDE for discovering and reporting this issue.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:18:41.370Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://security.paloaltonetworks.com/CVE-2022-0029"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-0029",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-04T15:08:25.783065Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-04T15:08:32.763Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "Windows"
          ],
          "product": "Cortex XDR Agent",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "lessThan": "7.7.3",
              "status": "affected",
              "version": "7.7",
              "versionType": "custom"
            },
            {
              "lessThan": "7.5.101-CE",
              "status": "affected",
              "version": "7.5 CE",
              "versionType": "custom"
            },
            {
              "lessThan": "5.0.12-hotfix update",
              "status": "affected",
              "version": "5.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Cortex XDR Agent",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "7.8 all"
            },
            {
              "lessThan": "7.7*",
              "status": "unaffected",
              "version": "7.7.3",
              "versionType": "custom"
            },
            {
              "lessThan": "7.5 CE*",
              "status": "unaffected",
              "version": "7.5.101-CE",
              "versionType": "custom"
            },
            {
              "lessThan": "5.0*",
              "status": "unaffected",
              "version": "5.0.12-hotfix update",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Palo Alto Networks thanks Diego Garc\u00eda of INCIDE for discovering and reporting this issue."
        }
      ],
      "datePublic": "2022-09-14T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "An improper link resolution vulnerability in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local attacker to read files on the system with elevated privileges when generating a tech support file."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue. However, details of this vulnerability are expected to become publicly available."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-14T16:35:08.000Z",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://security.paloaltonetworks.com/CVE-2022-0029"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "This issue is fixed in Cortex XDR agent 5.0.12-hotfix update, Cortex XDR agent 7.5.101-CE, Cortex XDR agent 7.7.3, and all later versions of the Cortex XDR agent."
        }
      ],
      "source": {
        "defect": [
          "CPATR-16806"
        ],
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2022-09-14T00:00:00.000Z",
          "value": "Initial publication"
        }
      ],
      "title": "Cortex XDR Agent: Improper Link Resolution Vulnerability When Generating a Tech Support File",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@paloaltonetworks.com",
          "DATE_PUBLIC": "2022-09-14T16:00:00.000Z",
          "ID": "CVE-2022-0029",
          "STATE": "PUBLIC",
          "TITLE": "Cortex XDR Agent: Improper Link Resolution Vulnerability When Generating a Tech Support File"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cortex XDR Agent",
                      "version": {
                        "version_data": [
                          {
                            "platform": "Windows",
                            "version_affected": "\u003c",
                            "version_name": "7.7",
                            "version_value": "7.7.3"
                          },
                          {
                            "version_affected": "!\u003e=",
                            "version_name": "7.7",
                            "version_value": "7.7.3"
                          },
                          {
                            "platform": "Windows",
                            "version_affected": "\u003c",
                            "version_name": "7.5 CE",
                            "version_value": "7.5.101-CE"
                          },
                          {
                            "version_affected": "!\u003e=",
                            "version_name": "7.5 CE",
                            "version_value": "7.5.101-CE"
                          },
                          {
                            "platform": "Windows",
                            "version_affected": "\u003c",
                            "version_name": "5.0",
                            "version_value": "5.0.12-hotfix update"
                          },
                          {
                            "version_affected": "!",
                            "version_name": "7.8",
                            "version_value": "all"
                          },
                          {
                            "version_affected": "!\u003e=",
                            "version_name": "5.0",
                            "version_value": "5.0.12-hotfix update"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Palo Alto Networks"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Palo Alto Networks thanks Diego Garc\u00eda of INCIDE for discovering and reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An improper link resolution vulnerability in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local attacker to read files on the system with elevated privileges when generating a tech support file."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue. However, details of this vulnerability are expected to become publicly available."
          }
        ],
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://security.paloaltonetworks.com/CVE-2022-0029",
              "refsource": "MISC",
              "url": "https://security.paloaltonetworks.com/CVE-2022-0029"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "This issue is fixed in Cortex XDR agent 5.0.12-hotfix update, Cortex XDR agent 7.5.101-CE, Cortex XDR agent 7.7.3, and all later versions of the Cortex XDR agent."
          }
        ],
        "source": {
          "defect": [
            "CPATR-16806"
          ],
          "discovery": "EXTERNAL"
        },
        "timeline": [
          {
            "lang": "en",
            "time": "2022-09-14T00:00:00.000Z",
            "value": "Initial publication"
          }
        ],
        "x_advisoryEoL": false,
        "x_affectedList": [
          "Cortex XDR Agent 7.7",
          "Cortex XDR Agent 7.5 CE",
          "Cortex XDR Agent 5.0",
          "Cortex XDR Agent"
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2022-0029",
    "datePublished": "2022-09-14T16:35:08.910Z",
    "dateReserved": "2021-12-28T00:00:00.000Z",
    "dateUpdated": "2025-06-04T15:08:32.763Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-0017 (GCVE-0-2022-0017)

Vulnerability from cvelistv5 – Published: 2022-02-10 18:10 – Updated: 2024-09-16 17:58
VLAI
Title
GlobalProtect App: Improper Link Resolution Vulnerability Leads to Local Privilege Escalation
Summary
An improper link resolution before file access ('link following') vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows that enables a local attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges under certain circumstances. This issue impacts: GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.10 on Windows. GlobalProtect app 5.2 versions earlier than GlobalProtect app 5.2.5 on Windows. This issue does not affect GlobalProtect app on other platforms.
CWE
  • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
Impacted products
Vendor Product Version
Palo Alto Networks GlobalProtect App Affected: 5.2 , < 5.2.5 (custom)
Affected: 5.1 , < 5.1.10 (custom)
Create a notification for this product.
Palo Alto Networks GlobalProtect App Unaffected: 5.3.*
Create a notification for this product.
Date Public
2022-02-09 00:00
Credits
Palo Alto Networks thanks Christophe Schleypen of NATO Cyber Security Centre Pentesting for discovering and reporting this issue.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:18:41.344Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://security.paloaltonetworks.com/CVE-2022-0017"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "Windows"
          ],
          "product": "GlobalProtect App",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "changes": [
                {
                  "at": "5.2.5",
                  "status": "unaffected"
                }
              ],
              "lessThan": "5.2.5",
              "status": "affected",
              "version": "5.2",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "5.1.10",
                  "status": "unaffected"
                }
              ],
              "lessThan": "5.1.10",
              "status": "affected",
              "version": "5.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "GlobalProtect App",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "5.3.*"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Palo Alto Networks thanks Christophe Schleypen of NATO Cyber Security Centre Pentesting for discovering and reporting this issue."
        }
      ],
      "datePublic": "2022-02-09T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "An improper link resolution before file access (\u0027link following\u0027) vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows that enables a local attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges under certain circumstances. This issue impacts: GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.10 on Windows. GlobalProtect app 5.2 versions earlier than GlobalProtect app 5.2.5 on Windows. This issue does not affect GlobalProtect app on other platforms."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-10T18:10:18.000Z",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://security.paloaltonetworks.com/CVE-2022-0017"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "This issue is fixed in GlobalProtect app 5.1.10 on Windows, GlobalProtect app 5.2.5 on Windows and all later GlobalProtect app versions."
        }
      ],
      "source": {
        "defect": [
          "GPC-10982"
        ],
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2022-02-09T00:00:00.000Z",
          "value": "Initial publication"
        }
      ],
      "title": "GlobalProtect App: Improper Link Resolution Vulnerability Leads to Local Privilege Escalation",
      "workarounds": [
        {
          "lang": "en",
          "value": "There are no known workarounds for this issue."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@paloaltonetworks.com",
          "DATE_PUBLIC": "2022-02-09T17:00:00.000Z",
          "ID": "CVE-2022-0017",
          "STATE": "PUBLIC",
          "TITLE": "GlobalProtect App: Improper Link Resolution Vulnerability Leads to Local Privilege Escalation"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "GlobalProtect App",
                      "version": {
                        "version_data": [
                          {
                            "platform": "Windows",
                            "version_affected": "\u003c",
                            "version_name": "5.2",
                            "version_value": "5.2.5"
                          },
                          {
                            "platform": "Windows",
                            "version_affected": "!\u003e=",
                            "version_name": "5.2",
                            "version_value": "5.2.5"
                          },
                          {
                            "platform": "Windows",
                            "version_affected": "\u003c",
                            "version_name": "5.1",
                            "version_value": "5.1.10"
                          },
                          {
                            "platform": "Windows",
                            "version_affected": "!\u003e=",
                            "version_name": "5.1",
                            "version_value": "5.1.10"
                          },
                          {
                            "version_affected": "!",
                            "version_name": "5.3",
                            "version_value": "5.3.*"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Palo Alto Networks"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Palo Alto Networks thanks Christophe Schleypen of NATO Cyber Security Centre Pentesting for discovering and reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An improper link resolution before file access (\u0027link following\u0027) vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows that enables a local attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges under certain circumstances. This issue impacts: GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.10 on Windows. GlobalProtect app 5.2 versions earlier than GlobalProtect app 5.2.5 on Windows. This issue does not affect GlobalProtect app on other platforms."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
          }
        ],
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://security.paloaltonetworks.com/CVE-2022-0017",
              "refsource": "MISC",
              "url": "https://security.paloaltonetworks.com/CVE-2022-0017"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "This issue is fixed in GlobalProtect app 5.1.10 on Windows, GlobalProtect app 5.2.5 on Windows and all later GlobalProtect app versions."
          }
        ],
        "source": {
          "defect": [
            "GPC-10982"
          ],
          "discovery": "EXTERNAL"
        },
        "timeline": [
          {
            "lang": "en",
            "time": "2022-02-09T00:00:00.000Z",
            "value": "Initial publication"
          }
        ],
        "work_around": [
          {
            "lang": "en",
            "value": "There are no known workarounds for this issue."
          }
        ],
        "x_advisoryEoL": true,
        "x_affectedList": [
          "GlobalProtect App 5.2.4",
          "GlobalProtect App 5.2.3",
          "GlobalProtect App 5.2.2",
          "GlobalProtect App 5.2.1",
          "GlobalProtect App 5.2.0",
          "GlobalProtect App 5.2",
          "GlobalProtect App 5.1.9",
          "GlobalProtect App 5.1.8",
          "GlobalProtect App 5.1.7",
          "GlobalProtect App 5.1.6",
          "GlobalProtect App 5.1.5",
          "GlobalProtect App 5.1.4",
          "GlobalProtect App 5.1.3",
          "GlobalProtect App 5.1.1",
          "GlobalProtect App 5.1.0",
          "GlobalProtect App 5.1"
        ],
        "x_likelyAffectedList": [
          "GlobalProtect App 5.0.10",
          "GlobalProtect App 5.0.9",
          "GlobalProtect App 5.0.8",
          "GlobalProtect App 5.0.7",
          "GlobalProtect App 5.0.6",
          "GlobalProtect App 5.0.5",
          "GlobalProtect App 5.0.4",
          "GlobalProtect App 5.0.3",
          "GlobalProtect App 5.0.2",
          "GlobalProtect App 5.0.1",
          "GlobalProtect App 5.0.0",
          "GlobalProtect App 5.0",
          "GlobalProtect App 4.1.13",
          "GlobalProtect App 4.1.12",
          "GlobalProtect App 4.1.11",
          "GlobalProtect App 4.1.10",
          "GlobalProtect App 4.1.9",
          "GlobalProtect App 4.1.8",
          "GlobalProtect App 4.1.7",
          "GlobalProtect App 4.1.6",
          "GlobalProtect App 4.1.5",
          "GlobalProtect App 4.1.4",
          "GlobalProtect App 4.1.3",
          "GlobalProtect App 4.1.2",
          "GlobalProtect App 4.1.1",
          "GlobalProtect App 4.1.0",
          "GlobalProtect App 4.1",
          "GlobalProtect App 4.0.8",
          "GlobalProtect App 4.0.7",
          "GlobalProtect App 4.0.6",
          "GlobalProtect App 4.0.5",
          "GlobalProtect App 4.0.4",
          "GlobalProtect App 4.0.3",
          "GlobalProtect App 4.0.2",
          "GlobalProtect App 4.0.0",
          "GlobalProtect App 4.0",
          "GlobalProtect App 3.1.6",
          "GlobalProtect App 3.1.5",
          "GlobalProtect App 3.1.4",
          "GlobalProtect App 3.1.3",
          "GlobalProtect App 3.1.1",
          "GlobalProtect App 3.1.0",
          "GlobalProtect App 3.1",
          "GlobalProtect App 3.0.3",
          "GlobalProtect App 3.0.2",
          "GlobalProtect App 3.0.1",
          "GlobalProtect App 3.0.0",
          "GlobalProtect App 3.0",
          "GlobalProtect App 2.3.5",
          "GlobalProtect App 2.3.4",
          "GlobalProtect App 2.3.3",
          "GlobalProtect App 2.3.2",
          "GlobalProtect App 2.3.1",
          "GlobalProtect App 2.3.0",
          "GlobalProtect App 2.3",
          "GlobalProtect App 2.2.2",
          "GlobalProtect App 2.2.1",
          "GlobalProtect App 2.2.0",
          "GlobalProtect App 2.2",
          "GlobalProtect App 2.1.4",
          "GlobalProtect App 2.1.3",
          "GlobalProtect App 2.1.2",
          "GlobalProtect App 2.1.1",
          "GlobalProtect App 2.1.0",
          "GlobalProtect App 2.1",
          "GlobalProtect App 2.0.5",
          "GlobalProtect App 2.0.4",
          "GlobalProtect App 2.0.3",
          "GlobalProtect App 2.0.2",
          "GlobalProtect App 2.0.1",
          "GlobalProtect App 2.0.0",
          "GlobalProtect App 2.0",
          "GlobalProtect App 1.2.11",
          "GlobalProtect App 1.2.10",
          "GlobalProtect App 1.2.9",
          "GlobalProtect App 1.2.8",
          "GlobalProtect App 1.2.7",
          "GlobalProtect App 1.2.6",
          "GlobalProtect App 1.2.5",
          "GlobalProtect App 1.2.4",
          "GlobalProtect App 1.2.3",
          "GlobalProtect App 1.2.2",
          "GlobalProtect App 1.2.1",
          "GlobalProtect App 1.2.0",
          "GlobalProtect App 1.2",
          "GlobalProtect App 1.1.8",
          "GlobalProtect App 1.1.7",
          "GlobalProtect App 1.1.6",
          "GlobalProtect App 1.1.5",
          "GlobalProtect App 1.1.4",
          "GlobalProtect App 1.1.3",
          "GlobalProtect App 1.1.2",
          "GlobalProtect App 1.1.1",
          "GlobalProtect App 1.1.0",
          "GlobalProtect App 1.1",
          "GlobalProtect App 1.0.8",
          "GlobalProtect App 1.0.7",
          "GlobalProtect App 1.0.5",
          "GlobalProtect App 1.0.3",
          "GlobalProtect App 1.0.1",
          "GlobalProtect App 1.0"
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2022-0017",
    "datePublished": "2022-02-10T18:10:18.618Z",
    "dateReserved": "2021-12-28T00:00:00.000Z",
    "dateUpdated": "2024-09-16T17:58:01.158Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-0012 (GCVE-0-2022-0012)

Vulnerability from cvelistv5 – Published: 2022-01-12 17:30 – Updated: 2024-09-17 01:55
VLAI
Title
Cortex XDR Agent: Local Arbitrary File Deletion Vulnerability
Summary
An improper link resolution before file access vulnerability exists in the Palo Alto Networks Cortex XDR agent on Windows platforms that enables a local user to delete arbitrary system files and impact the system integrity or cause a denial of service condition. This issue impacts: Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12; Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9; Cortex XDR agent 7.2 versions earlier than Cortex XDR agent 7.2.4; Cortex XDR agent 7.3 versions earlier than Cortex XDR agent 7.3.2.
CWE
  • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
Impacted products
Vendor Product Version
Palo Alto Networks Cortex XDR Agent Unaffected: 7.4.*
Unaffected: 7.5.*
Unaffected: 7.6.*
Affected: 5.0 , < 5.0.12 (custom)
Affected: 7.2 , < 7.2.4 (custom)
Affected: 7.3 , < 7.3.2 (custom)
Affected: 6.1 , < 6.1.9 (custom)
Create a notification for this product.
Date Public
2022-01-12 00:00
Credits
Palo Alto Networks thanks Chris Au for discovering and reporting this issue.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:18:41.522Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://security.paloaltonetworks.com/CVE-2022-0012"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "Windows"
          ],
          "product": "Cortex XDR Agent",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "7.4.*"
            },
            {
              "status": "unaffected",
              "version": "7.5.*"
            },
            {
              "status": "unaffected",
              "version": "7.6.*"
            },
            {
              "changes": [
                {
                  "at": "5.0.12",
                  "status": "unaffected"
                }
              ],
              "lessThan": "5.0.12",
              "status": "affected",
              "version": "5.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "7.2.4",
                  "status": "unaffected"
                }
              ],
              "lessThan": "7.2.4",
              "status": "affected",
              "version": "7.2",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "7.3.2",
                  "status": "unaffected"
                }
              ],
              "lessThan": "7.3.2",
              "status": "affected",
              "version": "7.3",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "6.1.9",
                  "status": "unaffected"
                }
              ],
              "lessThan": "6.1.9",
              "status": "affected",
              "version": "6.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Palo Alto Networks thanks Chris Au for discovering and reporting this issue."
        }
      ],
      "datePublic": "2022-01-12T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "An improper link resolution before file access vulnerability exists in the Palo Alto Networks Cortex XDR agent on Windows platforms that enables a local user to delete arbitrary system files and impact the system integrity or cause a denial of service condition. This issue impacts: Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12; Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9; Cortex XDR agent 7.2 versions earlier than Cortex XDR agent 7.2.4; Cortex XDR agent 7.3 versions earlier than Cortex XDR agent 7.3.2."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-01-12T17:30:15.000Z",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://security.paloaltonetworks.com/CVE-2022-0012"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "This issue is fixed in Cortex XDR agent 5.0.12, Cortex XDR agent 6.1.9, Cortex XDR agent 7.2.4, Cortex XDR agent 7.3.2, and all later Cortex XDR agent versions."
        }
      ],
      "source": {
        "defect": [
          "CPATR-13408"
        ],
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2022-01-12T00:00:00.000Z",
          "value": "Initial publication"
        }
      ],
      "title": "Cortex XDR Agent: Local Arbitrary File Deletion Vulnerability",
      "workarounds": [
        {
          "lang": "en",
          "value": "There is no known workaround available for this issue."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@paloaltonetworks.com",
          "DATE_PUBLIC": "2022-01-12T17:00:00.000Z",
          "ID": "CVE-2022-0012",
          "STATE": "PUBLIC",
          "TITLE": "Cortex XDR Agent: Local Arbitrary File Deletion Vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cortex XDR Agent",
                      "version": {
                        "version_data": [
                          {
                            "platform": "Windows",
                            "version_affected": "\u003c",
                            "version_name": "5.0",
                            "version_value": "5.0.12"
                          },
                          {
                            "platform": "Windows",
                            "version_affected": "!\u003e=",
                            "version_name": "5.0",
                            "version_value": "5.0.12"
                          },
                          {
                            "platform": "Windows",
                            "version_affected": "\u003c",
                            "version_name": "7.2",
                            "version_value": "7.2.4"
                          },
                          {
                            "platform": "Windows",
                            "version_affected": "!\u003e=",
                            "version_name": "7.2",
                            "version_value": "7.2.4"
                          },
                          {
                            "platform": "Windows",
                            "version_affected": "\u003c",
                            "version_name": "7.3",
                            "version_value": "7.3.2"
                          },
                          {
                            "platform": "Windows",
                            "version_affected": "!\u003e=",
                            "version_name": "7.3",
                            "version_value": "7.3.2"
                          },
                          {
                            "platform": "Windows",
                            "version_affected": "!",
                            "version_name": "7.4",
                            "version_value": "7.4.*"
                          },
                          {
                            "platform": "Windows",
                            "version_affected": "\u003c",
                            "version_name": "6.1",
                            "version_value": "6.1.9"
                          },
                          {
                            "platform": "Windows",
                            "version_affected": "!\u003e=",
                            "version_name": "6.1",
                            "version_value": "6.1.9"
                          },
                          {
                            "platform": "Windows",
                            "version_affected": "!",
                            "version_name": "7.5",
                            "version_value": "7.5.*"
                          },
                          {
                            "platform": "Windows",
                            "version_affected": "!",
                            "version_name": "7.6",
                            "version_value": "7.6.*"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Palo Alto Networks"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Palo Alto Networks thanks Chris Au for discovering and reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An improper link resolution before file access vulnerability exists in the Palo Alto Networks Cortex XDR agent on Windows platforms that enables a local user to delete arbitrary system files and impact the system integrity or cause a denial of service condition. This issue impacts: Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12; Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9; Cortex XDR agent 7.2 versions earlier than Cortex XDR agent 7.2.4; Cortex XDR agent 7.3 versions earlier than Cortex XDR agent 7.3.2."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
          }
        ],
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://security.paloaltonetworks.com/CVE-2022-0012",
              "refsource": "MISC",
              "url": "https://security.paloaltonetworks.com/CVE-2022-0012"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "This issue is fixed in Cortex XDR agent 5.0.12, Cortex XDR agent 6.1.9, Cortex XDR agent 7.2.4, Cortex XDR agent 7.3.2, and all later Cortex XDR agent versions."
          }
        ],
        "source": {
          "defect": [
            "CPATR-13408"
          ],
          "discovery": "EXTERNAL"
        },
        "timeline": [
          {
            "lang": "en",
            "time": "2022-01-12T00:00:00.000Z",
            "value": "Initial publication"
          }
        ],
        "work_around": [
          {
            "lang": "en",
            "value": "There is no known workaround available for this issue."
          }
        ],
        "x_advisoryEoL": false,
        "x_affectedList": [
          "Cortex XDR Agent 7.3",
          "Cortex XDR Agent 7.2",
          "Cortex XDR Agent 7.1",
          "Cortex XDR Agent 7.0",
          "Cortex XDR Agent 6.1",
          "Cortex XDR Agent 5.0"
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2022-0012",
    "datePublished": "2022-01-12T17:30:15.528Z",
    "dateReserved": "2021-12-28T00:00:00.000Z",
    "dateUpdated": "2024-09-17T01:55:48.198Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-47949 (GCVE-0-2021-47949)

Vulnerability from cvelistv5 – Published: 2026-05-10 12:52 – Updated: 2026-05-11 12:51
VLAI
Title
CyberPanel 2.1 Authenticated Remote Code Execution via Symlink Attack
Summary
CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks through the filemanager controller endpoint. Attackers can manipulate the completeStartingPath parameter in POST requests to /filemanager/controller to create symbolic links, read sensitive files like database credentials, and execute arbitrary shell commands through the /websites/fetchFolderDetails endpoint.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
Impacted products
Vendor Product Version
Cyberpanel CyberPanel Affected: <= 2.1
Create a notification for this product.
Date Public
2021-08-27 00:00
Credits
Numan Türle
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47949",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T12:50:59.565034Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T12:51:17.987Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "CyberPanel",
          "vendor": "Cyberpanel",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 2.1"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:cyberpanel:cyberpanel:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "2.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Numan T\u00fcrle"
        }
      ],
      "datePublic": "2021-08-27T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks through the filemanager controller endpoint. Attackers can manipulate the completeStartingPath parameter in POST requests to /filemanager/controller to create symbolic links, read sensitive files like database credentials, and execute arbitrary shell commands through the /websites/fetchFolderDetails endpoint."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS"
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-10T12:52:10.631Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "ExploitDB-50230",
          "tags": [
            "exploit"
          ],
          "url": "https://www.exploit-db.com/exploits/50230"
        },
        {
          "name": "Official Product Homepage",
          "tags": [
            "product"
          ],
          "url": "https://cyberpanel.net/"
        },
        {
          "name": "Product Reference",
          "tags": [
            "product"
          ],
          "url": "https://github.com/usmannasir/cyberpanel"
        },
        {
          "name": "VulnCheck Advisory: CyberPanel 2.1 Authenticated Remote Code Execution via Symlink Attack",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/cyberpanel-authenticated-remote-code-execution-via-symlink-attack"
        }
      ],
      "title": "CyberPanel 2.1 Authenticated Remote Code Execution via Symlink Attack",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2021-47949",
    "datePublished": "2026-05-10T12:52:10.631Z",
    "dateReserved": "2026-02-01T11:24:18.719Z",
    "dateUpdated": "2026-05-11T12:51:17.987Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.